Code Review Checklist

Security Checklist

• No hardcoded credentials or secrets
• Input validation on all user inputs
• SQL injection prevention (parameterized queries)
• CSRF protection on state-changing operations
• XSS prevention with proper escaping
• Authentication checks on protected endpoints
• Authorization checks on resources
• Secure password hashing (bcrypt, argon2)
• No sensitive data in logs
• HTTPS enforced

Performance Checklist

• No N+1 queries
• Appropriate use of indexes
• Caching implemented where beneficial
• No blocking operations on main thread
• Async/await used correctly
• Large datasets paginated
• Database connections pooled
• Regular expressions optimized
• No unnecessary object creation
• Memory leaks prevented

Quality Checklist

• Functions < 50 lines
• Clear variable naming
• No duplicate code
• Proper error handling
• Comments explain WHY, not WHAT
• No console.logs in production
• Type checking (TypeScript/JSDoc)
• SOLID principles followed
• Design patterns applied correctly
• Self-documenting code

Testing Checklist

• Unit tests written
• Edge cases covered
• Error scenarios tested
• Integration tests present
• Coverage > 80%
• No flaky tests
• Mock external dependencies
• Clear test names