# Code Review Checklist ## Security Checklist - [ ] No hardcoded credentials or secrets - [ ] Input validation on all user inputs - [ ] SQL injection prevention (parameterized queries) - [ ] CSRF protection on state-changing operations - [ ] XSS prevention with proper escaping - [ ] Authentication checks on protected endpoints - [ ] Authorization checks on resources - [ ] Secure password hashing (bcrypt, argon2) - [ ] No sensitive data in logs - [ ] HTTPS enforced ## Performance Checklist - [ ] No N+1 queries - [ ] Appropriate use of indexes - [ ] Caching implemented where beneficial - [ ] No blocking operations on main thread - [ ] Async/await used correctly - [ ] Large datasets paginated - [ ] Database connections pooled - [ ] Regular expressions optimized - [ ] No unnecessary object creation - [ ] Memory leaks prevented ## Quality Checklist - [ ] Functions < 50 lines - [ ] Clear variable naming - [ ] No duplicate code - [ ] Proper error handling - [ ] Comments explain WHY, not WHAT - [ ] No console.logs in production - [ ] Type checking (TypeScript/JSDoc) - [ ] SOLID principles followed - [ ] Design patterns applied correctly - [ ] Self-documenting code ## Testing Checklist - [ ] Unit tests written - [ ] Edge cases covered - [ ] Error scenarios tested - [ ] Integration tests present - [ ] Coverage > 80% - [ ] No flaky tests - [ ] Mock external dependencies - [ ] Clear test names