Pattern Catalog

The AI-Built Software Pattern Catalog — 2,527 active patterns across 116 bundles. Each pattern describes a specific failure mode in AI-built software, with citation against CWE, OWASP, WCAG, NIST, and other standards. Content licensed CC-BY-4.0.

2,527 / 2,527

Annual reminder with renewal date, price, cancel instructions
ab-002564 · subscription-compliance
info
Failed payment handling and grace period disclosed
ab-002563 · subscription-compliance
info
Price increase notification before new-rate renewal
ab-002562 · subscription-compliance
info
Renewal reminder sent before charge with time to cancel
ab-002561 · subscription-compliance
low
Free trial duration, expiry behavior, post-trial price explicit
ab-002560 · subscription-compliance
high
Material terms not buried in fine print or behind links
ab-002558 · subscription-compliance
medium
Price per billing period clearly stated
ab-002556 · subscription-compliance
low
Subscription terms displayed clearly before checkout
ab-002552 · subscription-compliance
critical
Total cost including taxes/fees disclosed before payment
ab-002557 · subscription-compliance
high
Enrollment requires affirmative, unambiguous consent
ab-002559 · subscription-compliance
critical
No negative option enrollment where inaction = charges
ab-002541 · subscription-compliance
low
Written confirmation sent after enrollment with all terms
ab-002545 · subscription-compliance
medium
Subscription consent separate from one-time purchase
ab-002542 · subscription-compliance
medium
Written cancellation confirmation sent immediately
ab-002555 · subscription-compliance
high
Cancellation in same steps (or fewer) as enrollment
ab-002543 · subscription-compliance
critical
Downgrade and pause options presented before final cancel
ab-002553 · subscription-compliance
low
If enrolled online, cancellation available online
ab-002544 · subscription-compliance
high
Pro-rated refund policy disclosed; refund for unused portion
ab-002554 · subscription-compliance
medium
Custom 404 page
ab-002548 · site-health-check
medium
Favicon is present
ab-002551 · site-health-check
info
Privacy policy or terms of service linked
ab-002547 · site-health-check
critical
No empty src or href attributes
ab-002549 · site-health-check
medium
No placeholder content
ab-002550 · site-health-check
info
Canonical URL is set
ab-002537 · site-health-check
medium
Meta description is present
ab-002528 · site-health-check
high
Open Graph tags are present
ab-002539 · site-health-check
medium
robots.txt and sitemap are accessible
ab-002535 · site-health-check
info
Title tag is present and reasonable length
ab-002530 · site-health-check
high
Content Security Policy header is present
ab-002532 · site-health-check
high
Clickjacking protection is present
ab-002529 · site-health-check
low
HSTS header is present
ab-002518 · site-health-check
high
HTTPS is enforced
ab-002521 · site-health-check
critical
X-Content-Type-Options is set
ab-002531 · site-health-check
low
Cache-Control headers are present
ab-002538 · site-health-check
medium
Response compression is enabled
ab-002536 · site-health-check
high
Images use lazy loading
ab-002540 · site-health-check
info
Limited render-blocking resources in head
ab-002525 · site-health-check
info
Response time is under 3 seconds
ab-002534 · site-health-check
critical
Heading hierarchy is correct
ab-002526 · site-health-check
medium
HTML lang attribute is set
ab-002527 · site-health-check
medium
Images have alt text
ab-002533 · site-health-check
info
Semantic HTML elements are used
ab-002546 · site-health-check
info
Viewport meta tag is present
ab-002524 · site-health-check
high
Favicon is present and properly configured
ab-002522 · seo-fundamentals
low
Open Graph image meets minimum size requirements
ab-002519 · seo-fundamentals
medium
Open Graph tags are present
ab-002523 · seo-fundamentals
high
Twitter Card meta tags are present
ab-002520 · seo-fundamentals
low
Canonical URL is set on each page
ab-002517 · seo-fundamentals
medium
Character encoding is declared
ab-002512 · seo-fundamentals
medium
Meta descriptions are between 120-160 characters
ab-002497 · seo-fundamentals
info
HTML lang attribute is set
ab-002499 · seo-fundamentals
low
Every page has a meta description
ab-002514 · seo-fundamentals
high
Title tags are between 30-60 characters
ab-002500 · seo-fundamentals
info
Every page has a unique title tag
ab-002515 · seo-fundamentals
critical
Viewport meta tag is properly configured
ab-002513 · seo-fundamentals
high
URLs are clean and human-readable
ab-002510 · seo-fundamentals
low
Production pages are not accidentally set to noindex
ab-002507 · seo-fundamentals
critical
robots.txt exists and is properly configured
ab-002508 · seo-fundamentals
high
XML sitemap exists and is valid
ab-002511 · seo-fundamentals
high
Sitemap URL is referenced in robots.txt
ab-002506 · seo-fundamentals
medium
Every page has exactly one H1 tag
ab-002496 · seo-fundamentals
critical
Heading hierarchy is logical
ab-002498 · seo-fundamentals
high
Images have meaningful alt text
ab-002494 · seo-fundamentals
high
Site has internal linking between pages
ab-002509 · seo-fundamentals
low
Page uses semantic HTML elements
ab-002495 · seo-fundamentals
medium
External backlink profile from relevant domains
ab-002478 · seo-advanced
info
Content Security Policy header present and allows essential resources
ab-002477 · seo-advanced
low
Key pages meet Core Web Vitals thresholds
ab-002482 · seo-advanced
critical
All images optimized with next-gen formats and fallbacks
ab-002501 · seo-advanced
low
All images have descriptive alt text, semantic filenames, and optimized weight
ab-002479 · seo-advanced
low
Page speed metrics meet thresholds
ab-002481 · seo-advanced
medium
Google Search Console linked and verified with healthy crawl stats
ab-002480 · seo-advanced
low
BreadcrumbList schema present on hierarchical pages
ab-002484 · seo-advanced
high
FAQ pages include FAQPage schema with questions and answers
ab-002486 · seo-advanced
medium
Home page, product/service pages, and blog posts include valid JSON-LD structured data
ab-002487 · seo-advanced
critical
LocalBusiness schema on local business pages with address and hours
ab-002475 · seo-advanced
low
Organization schema on home page with contact and social profiles
ab-002483 · seo-advanced
low
Review and rating pages include Review or AggregateRating schema
ab-002488 · seo-advanced
medium
All JSON-LD Schema.org types match page content with critical properties present
ab-002485 · seo-advanced
high
VideoObject schema on pages with embedded videos
ab-002474 · seo-advanced
low
Blog posts and articles have datePublished and dateModified in schema
ab-002505 · seo-advanced
low
All indexable pages have at least 300 words of original substantive content
ab-002504 · seo-advanced
low
Internal linking hub-and-cluster structure with bidirectional links
ab-002502 · seo-advanced
high
No two indexable pages target the same primary keyword
ab-002503 · seo-advanced
low
Orphan pages addressed; all indexable pages reachable within 3 clicks from home
ab-002516 · seo-advanced
low
Crawl budget managed; no infinite scroll or session IDs in URLs
ab-002473 · seo-advanced
high
International SEO hreflang tags implemented correctly
ab-002491 · seo-advanced
info
Critical content accessible to Googlebot; no cloaking between bot and users
ab-002476 · seo-advanced
critical
No unintended noindex tags or X-Robots-Tag headers on indexable pages
ab-002492 · seo-advanced
medium
Paginated content uses rel=next/prev or canonicalizes to page 1
ab-002471 · seo-advanced
high
No redirect chains longer than one hop
ab-002472 · seo-advanced
high
Structured data Rich Results previews verified
ab-002489 · seo-advanced
info
Robots.txt accessible and doesn't block Googlebot from content, CSS, or JS
ab-002490 · seo-advanced
medium
XML sitemap includes all indexable pages; noindex pages excluded
ab-002493 · seo-advanced
medium
Structured data validated; no syntax errors or missing required properties
ab-002470 · seo-advanced
high
HTML validated against common email clients
ab-002465 · sending-pipeline-infrastructure
medium
Merge fields sanitized to prevent header injection
ab-002469 · sending-pipeline-infrastructure
critical
Plain-text alternative generated for all HTML emails
ab-002448 · sending-pipeline-infrastructure
info
Templates rendered server-side
ab-002466 · sending-pipeline-infrastructure
high
Template versioning tracks breaking changes
ab-002468 · sending-pipeline-infrastructure
low
Unsubscribe link injected automatically
ab-002467 · sending-pipeline-infrastructure
high
Retries use exponential backoff
ab-002450 · sending-pipeline-infrastructure
high
Temporary failures do not block the rest of the queue
ab-002449 · sending-pipeline-infrastructure
medium
Retries are idempotent — no duplicate sends
ab-002451 · sending-pipeline-infrastructure
critical
Retry limit set with dead letter escalation
ab-002452 · sending-pipeline-infrastructure
high
Permanent failures do not retry
ab-002453 · sending-pipeline-infrastructure
medium
At-least-once delivery with deduplication guard
ab-002458 · sending-pipeline-infrastructure
high
Dead letter queue for permanently failed sends
ab-002457 · sending-pipeline-infrastructure
high
Queue jobs include campaign and recipient identifiers for traceability
ab-002459 · sending-pipeline-infrastructure
high
Message ordering preserves campaign sequence
ab-002456 · sending-pipeline-infrastructure
low
Queue backed by durable persistent storage
ab-002442 · sending-pipeline-infrastructure
critical
Message priority separates transactional from marketing
ab-002455 · sending-pipeline-infrastructure
low
ESP API credentials stored in environment variables
ab-002454 · sending-pipeline-infrastructure
critical
ESP abstracted behind a common interface
ab-002462 · sending-pipeline-infrastructure
high
ESP health check validates connectivity before processing
ab-002461 · sending-pipeline-infrastructure
low
Multi-ESP fallback routing configured
ab-002463 · sending-pipeline-infrastructure
info
ESP response codes mapped to internal status model
ab-002464 · sending-pipeline-infrastructure
medium
Delivery status via webhooks, not polling
ab-002460 · sending-pipeline-infrastructure
high
Clear-Site-Data header on logout
ab-002439 · security-headers-ii
high
HSTS includes includeSubDomains
ab-002441 · security-headers-ii
high
HSTS preload flag configured
ab-002438 · security-headers-ii
medium
No mixed content (HTTP resources on HTTPS pages)
ab-002440 · security-headers-ii
critical
No dynamic script injection with user-controlled content
ab-002428 · security-headers-ii
critical
Third-party scripts documented
ab-002427 · security-headers-ii
info
SRI elements have crossorigin attribute
ab-002430 · security-headers-ii
high
SRI uses SHA-384 or stronger
ab-002429 · security-headers-ii
medium
Third-party scripts use async or defer
ab-002431 · security-headers-ii
medium
Legacy Feature-Policy header also set
ab-002443 · security-headers-ii
low
Sensitive APIs restricted (camera, microphone, geolocation)
ab-002445 · security-headers-ii
high
Additional browser APIs restricted
ab-002446 · security-headers-ii
medium
upgrade-insecure-requests directive present
ab-002447 · security-headers-ii
medium
base-uri restricted
ab-002424 · security-headers-ii
medium
CSP reporting endpoint configured
ab-002434 · security-headers-ii
low
No unsafe-eval in any CSP directive
ab-002425 · security-headers-ii
critical
CSP uses nonce or hash-based script allowlisting
ab-002418 · security-headers-ii
critical
object-src set to none
ab-002426 · security-headers-ii
low
Restrictive default-src
ab-002423 · security-headers-ii
high
strict-dynamic in script-src
ab-002415 · security-headers-ii
high
style-src does not use unsafe-inline without nonces
ab-002433 · security-headers-ii
low
Cross-Origin-Embedder-Policy configured
ab-002437 · security-headers-ii
medium
Cross-Origin-Opener-Policy header is set
ab-002436 · security-headers-ii
medium
Cross-Origin-Resource-Policy on static assets
ab-002432 · security-headers-ii
medium
Iframes use sandbox attribute
ab-002444 · security-headers-ii
low
External links use noopener noreferrer
ab-002435 · security-headers-ii
low
HSTS header is present with reasonable max-age
ab-000002 · security-headers
high
HTTPS is enforced
ab-000001 · security-headers
critical
Cookies have appropriate SameSite attribute
ab-000004 · security-headers
medium
Session cookies have Secure and HttpOnly flags
ab-000003 · security-headers
high
Custom 404 and 500 error pages are configured
ab-000015 · security-headers
low
Server version headers are suppressed
ab-000014 · security-headers
low
Source maps are not publicly accessible in production
ab-000016 · security-headers
high
Production error responses do not expose stack traces
ab-000013 · security-headers
critical
CORS headers are explicitly configured
ab-000012 · security-headers
info
CSP does not use unsafe-inline for scripts
ab-000006 · security-headers
high
Content-Security-Policy header is present
ab-000005 · security-headers
high
Permissions-Policy header restricts sensitive APIs
ab-000010 · security-headers
low
Referrer-Policy header is set
ab-000009 · security-headers
medium
External scripts use Subresource Integrity hashes
ab-000011 · security-headers
info
X-Content-Type-Options: nosniff is set
ab-000008 · security-headers
medium
X-Frame-Options or CSP frame-ancestors is set
ab-000007 · security-headers
medium
No known critical vulnerabilities in dependencies
ab-000019 · security-headers
high
.env files are listed in .gitignore
ab-000017 · security-headers
high
Package lock file is committed
ab-000020 · security-headers
medium
No hardcoded API keys or secrets in source code
ab-000018 · security-headers
critical
security.txt file exists
ab-000021 · security-headers
info
Configuration management separates environment-specific values from code
ab-002393 · security-hardening
low
CORS configuration is restrictive
ab-002395 · security-hardening
low
Dependency vulnerability scanning enabled
ab-002394 · security-hardening
low
Deserialization attack prevention
ab-002413 · security-hardening
low
Path traversal prevention
ab-002411 · security-hardening
low
Encryption in transit using TLS 1.2 or higher
ab-002401 · security-hardening
high
Command injection prevention
ab-002404 · security-hardening
medium
Encryption at rest for sensitive data
ab-002398 · security-hardening
high
File upload validation enforced server-side
ab-002399 · security-hardening
medium
Multi-factor authentication available
ab-002403 · security-hardening
medium
OAuth state parameter validated on callback
ab-002400 · security-hardening
medium
Server-side input validation enforced
ab-002402 · security-hardening
medium
SQL injection prevention via parameterized queries or ORM
ab-002407 · security-hardening
high
SSRF prevention on outbound requests
ab-002397 · security-hardening
medium
XSS prevention through proper output escaping
ab-002405 · security-hardening
high
XML external entity (XXE) prevention
ab-002396 · security-hardening
medium
.env and secrets files listed in .gitignore
ab-002416 · security-hardening
info
Software Bill of Materials or dependency tree reviewed
ab-002421 · security-hardening
info
Secrets not exposed in error messages or logs
ab-002414 · security-hardening
info
Security logging and audit trails for auth events
ab-002419 · security-hardening
info
Threat modeling or security architecture review completed
ab-002417 · security-hardening
info
Principle of least privilege for database and service accounts
ab-002420 · security-hardening
low
Package dependencies locked to specific versions
ab-002412 · security-hardening
low
Outdated dependencies patched within 30 days for high and critical CVEs
ab-002409 · security-hardening
low
Secure defaults enforced in production
ab-002422 · security-hardening
low
Subresource Integrity hashes for third-party CDN scripts
ab-002410 · security-hardening
low
Account lockout after repeated failed login attempts
ab-002375 · security-hardening
high
Rate limiting enforced on authentication endpoints
ab-002408 · security-hardening
high
CSRF tokens on state-changing requests
ab-002376 · security-hardening
high
JWT validation covers signature, algorithm, expiry, and audience
ab-002406 · security-hardening
high
Password hashing uses bcrypt, argon2, or scrypt
ab-002386 · security-hardening
critical
Secrets stored in environment variables and never committed to code
ab-002374 · security-hardening
critical
Session timeout enforced server-side with 30-minute idle limit
ab-002377 · security-hardening
high
Session tokens are cryptographically random and at least 128 bits
ab-002373 · security-hardening
critical
Modern exports field defined
ab-002371 · sdk-package-quality
critical
Files field restricts published contents
ab-002361 · sdk-package-quality
high
License field and LICENSE file present
ab-002363 · sdk-package-quality
medium
Package name follows conventions
ab-002359 · sdk-package-quality
high
Framework dependencies listed as peerDependencies
ab-002360 · sdk-package-quality
high
TypeScript type declarations shipped
ab-002370 · sdk-package-quality
critical
API documentation covers exports
ab-002384 · sdk-package-quality
low
CHANGELOG with entries per version
ab-002379 · sdk-package-quality
high
Keywords array for discoverability
ab-002385 · sdk-package-quality
info
README with install and usage example
ab-002382 · sdk-package-quality
high
Repository metadata fields present
ab-002387 · sdk-package-quality
low
Version history shows semver compliance
ab-002383 · sdk-package-quality
high
Build script produces output
ab-002380 · sdk-package-quality
medium
No bloated dependencies
ab-002388 · sdk-package-quality
high
Dual ESM/CJS format or clear ESM-only stance
ab-002391 · sdk-package-quality
high
Minimal runtime dependencies
ab-002381 · sdk-package-quality
medium
Source maps available
ab-002378 · sdk-package-quality
low
Tree-shaking enabled
ab-002392 · sdk-package-quality
high
Async operations return Promises
ab-002356 · sdk-package-quality
medium
Clear default entry point
ab-002362 · sdk-package-quality
critical
Configuration via constructor, not global state
ab-002390 · sdk-package-quality
low
Custom error classes exported
ab-002358 · sdk-package-quality
high
Named exports used for tree-shaking
ab-002355 · sdk-package-quality
high
No side effects on import
ab-002357 · sdk-package-quality
critical
Generic types for flexibility
ab-002389 · sdk-package-quality
low
Email verification does not block initial access
ab-002349 · saas-onboarding
medium
Every signup and onboarding screen has a clear next action — no dead ends
ab-002346 · saas-onboarding
critical
Signup form collects only essential fields
ab-002353 · saas-onboarding
medium
Successful signup provides clear confirmation
ab-002347 · saas-onboarding
medium
Social or OAuth signup is available
ab-002345 · saas-onboarding
low
Onboarding UI is accessible to users with disabilities
ab-002372 · saas-onboarding
critical
Back navigation preserves form state
ab-002369 · saas-onboarding
low
Help documentation is accessible from within the onboarding flow
ab-002368 · saas-onboarding
low
Team invitation flow is clearly presented
ab-002366 · saas-onboarding
medium
Onboarding can be skipped and revisited later
ab-002367 · saas-onboarding
low
Multi-step setup shows progress to the user
ab-002365 · saas-onboarding
low
Empty states explain what goes here and how to add it
ab-002337 · saas-onboarding
high
A key action is prompted within the first session
ab-002348 · saas-onboarding
high
Sample data or a starter template is available for empty states
ab-002340 · saas-onboarding
high
Application settings have sensible defaults for new users
ab-002338 · saas-onboarding
medium
New users see a welcome screen or guided orientation on first login
ab-002344 · saas-onboarding
medium
Error states during onboarding include clear recovery guidance
ab-002336 · saas-onboarding
high
First value moment is achievable in under 5 minutes
ab-002339 · saas-onboarding
critical
Loading states are shown during async setup operations
ab-002364 · saas-onboarding
low
Onboarding flow is functional on mobile devices
ab-002335 · saas-onboarding
medium
Admin can view but not modify tenant data without an audit trail
ab-002352 · saas-multi-tenancy
low
Audit logs are tenant-scoped
ab-002342 · saas-multi-tenancy
low
Tenant creation is validated and rate-limited
ab-002351 · saas-multi-tenancy
low
Tenant data export is scoped to the requesting tenant
ab-002350 · saas-multi-tenancy
low
Tenant deletion cascades completely
ab-002341 · saas-multi-tenancy
high
URL patterns do not expose internal tenant IDs
ab-002354 · saas-multi-tenancy
low
Background jobs are scoped to a single tenant
ab-002317 · saas-multi-tenancy
medium
Cross-tenant resource access is blocked
ab-002316 · saas-multi-tenancy
high
Rate limiting is applied per tenant
ab-002328 · saas-multi-tenancy
low
Search and filter do not cross tenant boundaries
ab-002318 · saas-multi-tenancy
high
Tenant switching does not leak prior tenant data
ab-002319 · saas-multi-tenancy
high
Webhook payloads do not include other tenants' data
ab-002326 · saas-multi-tenancy
medium
Invitation flow validates tenant membership
ab-002329 · saas-multi-tenancy
high
Shared resources do not leak between tenants
ab-002327 · saas-multi-tenancy
high
Tenant settings are isolated
ab-002343 · saas-multi-tenancy
low
Cache keys include the tenant identifier
ab-002320 · saas-multi-tenancy
high
Every database query is scoped to the active tenant
ab-002332 · saas-multi-tenancy
critical
File storage is segregated by tenant
ab-002315 · saas-multi-tenancy
high
No cross-tenant data visible in API responses
ab-002334 · saas-multi-tenancy
critical
Tenant context is set from authenticated session, not client input
ab-002330 · saas-multi-tenancy
critical
API response times are tracked per route
ab-002321 · saas-logging
medium
Correlation IDs are propagated through requests
ab-002333 · saas-logging
low
Database query performance is monitored
ab-002323 · saas-logging
low
Log format is consistent across all log sources
ab-002331 · saas-logging
low
Logs are searchable and queryable
ab-002324 · saas-logging
medium
Third-party service health is monitored
ab-002325 · saas-logging
low
Disk, memory, and CPU monitoring is configured
ab-002296 · saas-logging
medium
Error rate alerting is configured
ab-002309 · saas-logging
high
Health check endpoint exists
ab-002297 · saas-logging
medium
Performance monitoring tracks response times
ab-002295 · saas-logging
medium
Uptime monitoring is configured
ab-002306 · saas-logging
critical
Sensitive operations are recorded in an audit log
ab-002294 · saas-logging
critical
Audit logs are immutable
ab-002293 · saas-logging
medium
Log retention policy is defined
ab-002322 · saas-logging
low
Error logging includes stack trace and context
ab-002308 · saas-logging
high
Log levels are used appropriately
ab-002312 · saas-logging
medium
No debug logging in production
ab-002307 · saas-logging
low
No sensitive data in logs
ab-002310 · saas-logging
critical
Request logging captures method, path, status, and duration
ab-002305 · saas-logging
high
Structured logging library is used
ab-002314 · saas-logging
high
API responses use a consistent error format
ab-002291 · saas-error-handling
high
Form validation errors are inline and specific
ab-002292 · saas-error-handling
high
Network errors show a retry option
ab-002302 · saas-error-handling
medium
404 pages are custom and helpful
ab-002290 · saas-error-handling
medium
Rate limit errors explain when to retry
ab-002300 · saas-error-handling
low
Timeout errors have appropriate messaging
ab-002299 · saas-error-handling
medium
Async error handling is consistent across the codebase
ab-002313 · saas-error-handling
low
Background job failures are logged and retried
ab-002303 · saas-error-handling
low
Error recovery does not lose user data
ab-002304 · saas-error-handling
high
Error states have a reset mechanism
ab-002311 · saas-error-handling
low
No console.error in production without boundary
ab-002298 · saas-error-handling
low
Partial page failures do not crash the entire page
ab-002301 · saas-error-handling
high
API errors are logged server-side
ab-002278 · saas-error-handling
high
Client-side errors are reported to monitoring
ab-002289 · saas-error-handling
low
Error reporting service is configured
ab-002279 · saas-error-handling
high
Errors include context without PII
ab-002281 · saas-error-handling
medium
Error boundaries have meaningful fallback UI
ab-002282 · saas-error-handling
high
500 pages do not expose internal details
ab-002280 · saas-error-handling
critical
React error boundary wraps main application
ab-002287 · saas-error-handling
critical
No unhandled promise rejections in production
ab-002285 · saas-error-handling
critical
Downgrade removes access to premium features
ab-002254 · saas-billing
high
Feature access is gated on subscription status
ab-002255 · saas-billing
high
Invoice generation and retrieval is implemented
ab-002257 · saas-billing
medium
Payment failure handling with grace period
ab-002261 · saas-billing
medium
Refund flow is implemented
ab-002260 · saas-billing
medium
Subscription status is verified server-side
ab-002253 · saas-billing
high
Trial period enforces feature limits
ab-002256 · saas-billing
high
Webhook retry handling for payment events
ab-002258 · saas-billing
medium
Cancellation flow is complete
ab-002275 · saas-billing
high
Free tier limits are enforced
ab-002277 · saas-billing
high
Pricing page matches backend enforcement
ab-002259 · saas-billing
high
Usage-based billing tracks metrics accurately
ab-002276 · saas-billing
high
No credit card data stored in application database
ab-002264 · saas-billing
critical
No way to bypass payment via API
ab-002265 · saas-billing
critical
Payment processing uses a PCI-compliant provider
ab-002263 · saas-billing
critical
Webhook signature verification is implemented
ab-002262 · saas-billing
critical
Billing audit trail exists
ab-002273 · saas-billing
low
Billing information is accessible in account settings
ab-002288 · saas-billing
info
Currency handling is consistent
ab-002284 · saas-billing
low
Customer self-service billing portal is accessible
ab-002286 · saas-billing
low
Payment operations are idempotent
ab-002274 · saas-billing
medium
Tax calculation is handled
ab-002283 · saas-billing
info
Bulk Operations Verify Per-Resource Permissions
ab-002240 · saas-authorization
medium
Every API Route Checks Permissions
ab-002249 · saas-authorization
critical
File Upload Permissions Scoped to User
ab-002241 · saas-authorization
high
No Insecure Direct Object References (IDOR)
ab-002244 · saas-authorization
critical
Resource Ownership Verified
ab-002252 · saas-authorization
critical
Shared Resources Have Access Controls
ab-002235 · saas-authorization
high
API Keys Have Scoped Permissions
ab-002237 · saas-authorization
high
API Rate Limits Differentiated by Role
ab-002271 · saas-authorization
low
Authorization Failures Return 403
ab-002239 · saas-authorization
medium
Negative Authorization Tests Present
ab-002238 · saas-authorization
low
Webhook Endpoints Validate Sender
ab-002236 · saas-authorization
medium
Admin Routes Protected with Role Check
ab-002270 · saas-authorization
critical
Database Queries Scoped to Tenant
ab-002268 · saas-authorization
high
Multi-Tenant Data Isolation Enforced
ab-002272 · saas-authorization
high
No Cross-Tenant Data Leakage in List Endpoints
ab-002266 · saas-authorization
high
No Privilege Escalation via Parameter Tampering
ab-002267 · saas-authorization
high
Sensitive Operations Require Re-authentication
ab-002269 · saas-authorization
high
Authorization Model Defined
ab-002245 · saas-authorization
high
Authorization Logic Centralized
ab-002248 · saas-authorization
low
Feature Flags Server-Verified
ab-002251 · saas-authorization
low
Role Assignment Restricted
ab-002242 · saas-authorization
low
Role Hierarchy Enforced
ab-002250 · saas-authorization
high
Authentication library is on a recent release
ab-002219 · saas-authentication
info
JWT tokens have a reasonable expiry if used
ab-002220 · saas-authentication
high
MFA option is available for users
ab-002224 · saas-authentication
info
OAuth state parameter is validated
ab-002228 · saas-authentication
high
Social auth callback URLs are whitelisted
ab-002221 · saas-authentication
info
Authentication events are logged for audit purposes
ab-002247 · saas-authentication
info
Auth state is not stored in localStorage
ab-002208 · saas-authentication
medium
Login UI provides clear user feedback
ab-002243 · saas-authentication
info
Auth tokens are not passed in URL parameters
ab-002210 · saas-authentication
high
Refresh token rotation is implemented
ab-002206 · saas-authentication
high
Remember-me uses a separate long-lived token
ab-002229 · saas-authentication
medium
Session expiry is configured with a reasonable timeout
ab-002209 · saas-authentication
high
Session fixation protection is in place
ab-002207 · saas-authentication
high
Session is invalidated on password change
ab-002205 · saas-authentication
medium
Session tokens use secure, HttpOnly, SameSite cookies
ab-002216 · saas-authentication
high
Account recovery does not leak user information
ab-002226 · saas-authentication
medium
No default or test accounts in non-test code
ab-002246 · saas-authentication
info
Email verification is required on signup
ab-002223 · saas-authentication
high
Plaintext passwords are not written to logs or errors
ab-002218 · saas-authentication
critical
Passwords are hashed with a modern algorithm
ab-002222 · saas-authentication
critical
Password reset tokens are time-limited and single-use
ab-002227 · saas-authentication
high
Password strength requirements are enforced
ab-002217 · saas-authentication
medium
Account lockout is implemented after failed attempts
ab-002230 · saas-authentication
high
Auth error messages do not reveal whether email exists
ab-002225 · saas-authentication
medium
Auth middleware protects all private routes
ab-002231 · saas-authentication
critical
Login form has CSRF protection
ab-002234 · saas-authentication
critical
Logout invalidates the server-side session
ab-002233 · saas-authentication
high
Login endpoint has rate limiting
ab-002232 · saas-authentication
critical
Bulk operations available where needed
ab-002202 · saas-api-design
low
Filtering and sorting supported where appropriate
ab-002201 · saas-api-design
low
No unnecessary data in responses (over-fetching)
ab-002200 · saas-api-design
low
Pagination on list endpoints
ab-002168 · saas-api-design
high
Request body size limits configured
ab-002199 · saas-api-design
medium
Authentication required on non-public endpoints
ab-002195 · saas-api-design
critical
CORS properly configured
ab-002194 · saas-api-design
high
File upload endpoints have size and type restrictions
ab-002197 · saas-api-design
high
GraphQL query depth and complexity limits
ab-002196 · saas-api-design
high
Idempotency keys for payment and mutation endpoints
ab-002198 · saas-api-design
high
Input validation on all endpoints
ab-002203 · saas-api-design
critical
Rate limiting implemented
ab-002204 · saas-api-design
critical
Webhook endpoints validate payloads
ab-002193 · saas-api-design
medium
API responses include appropriate cache headers
ab-002212 · saas-api-design
low
API deprecation strategy defined
ab-002215 · saas-api-design
low
API timeout handling configured
ab-002211 · saas-api-design
low
Error responses include codes and messages
ab-002214 · saas-api-design
high
OpenAPI / Swagger documentation exists
ab-002213 · saas-api-design
low
API versioning strategy defined
ab-002165 · saas-api-design
medium
Consistent API naming convention
ab-002167 · saas-api-design
high
Consistent response envelope format
ab-002166 · saas-api-design
medium
HTTP methods used correctly
ab-002169 · saas-api-design
high
API routes require authentication
ab-002577 · project-snapshot
critical
User content does not reach dangerous sinks unsanitized
ab-002616 · project-snapshot
critical
.env files are gitignored
ab-002565 · project-snapshot
critical
User input is validated server-side, not just client-side
ab-002574 · project-snapshot
high
No hardcoded API keys or secrets in source
ab-002566 · project-snapshot
critical
No service-role or secret keys exposed to the public bundle
ab-002568 · project-snapshot
critical
Dynamic-id routes enforce object-level ownership
ab-002612 · project-snapshot
critical
Protected route groups actually call a session getter
ab-002611 · project-snapshot
critical
Core security response headers are configured
ab-002615 · project-snapshot
high
Imported security middleware is actually wired in
ab-002614 · project-snapshot
high
Supabase RLS is enabled with real policies on every table
ab-002569 · project-snapshot
critical
Validation schemas are actually parsed at runtime
ab-002613 · project-snapshot
critical
Users can delete their account and PII is actually purged
ab-002617 · project-snapshot
critical
Tracking scripts gated on consent
ab-002581 · project-snapshot
high
Users can download a machine-readable export of their personal data
ab-002618 · project-snapshot
high
Footer exposes a "Do Not Sell or Share" / "Your Privacy Choices" opt-out link
ab-002619 · project-snapshot
high
Form inputs have labels
ab-002585 · project-snapshot
high
Images have alt text
ab-002584 · project-snapshot
critical
Server-side code does not log full user objects, bodies, or credentials
ab-002620 · project-snapshot
high
Terms of Service and Privacy Policy pages exist and are linked from the footer
ab-002621 · project-snapshot
medium
No PII, card data, or session tokens in server logs
ab-002623 · project-snapshot
high
Payment amounts sourced server-side, never from client
ab-002622 · project-snapshot
critical
Login / signup / password-reset endpoints have rate limits
ab-002604 · project-snapshot
high
List-returning API endpoints enforce pagination or hard limits
ab-002610 · project-snapshot
medium
Webhook handlers are idempotent
ab-002609 · project-snapshot
medium
Webhook endpoints verify the incoming signature
ab-002601 · project-snapshot
high
Apple touch icon is present
ab-002185 · pre-launch
low
Cross-browser compatibility is addressed
ab-002175 · pre-launch
medium
Custom 404 page is present and helpful
ab-002187 · pre-launch
medium
Custom 500 page is present and does not expose internals
ab-002182 · pre-launch
high
Favicon is present
ab-002181 · pre-launch
medium
Mobile responsiveness is verified
ab-002171 · pre-launch
high
Social sharing preview metadata is configured
ab-002174 · pre-launch
medium
Analytics tracking is installed
ab-002177 · pre-launch
medium
Database backup strategy is defined
ab-002178 · pre-launch
critical
Email delivery is tested and working
ab-002173 · pre-launch
high
Error monitoring is configured
ab-002179 · pre-launch
high
Cookie consent mechanism is present
ab-002180 · pre-launch
high
Privacy policy page exists
ab-002186 · pre-launch
critical
Terms of service page exists
ab-002184 · pre-launch
high
Custom domain email is configured
ab-002183 · pre-launch
info
Debug mode is disabled in production
ab-002104 · pre-launch
critical
DNS is configured correctly
ab-002100 · pre-launch
high
Environment variables are production values
ab-002103 · pre-launch
critical
SSL certificate is valid and auto-renews
ab-002101 · pre-launch
critical
www/non-www redirect is configured
ab-002102 · pre-launch
medium
Console.log statements are cleaned up
ab-002170 · pre-launch
low
Performance baseline is documented
ab-002192 · pre-launch
low
Rollback plan exists
ab-002190 · pre-launch
medium
Staging and test URLs are removed from codebase
ab-002191 · pre-launch
info
Test and seed data has been removed
ab-002176 · pre-launch
high
All third-party services are on production plans
ab-002188 · pre-launch
medium
Web app manifest is present
ab-002189 · pre-launch
info
Plugin API versioned
ab-002088 · plugin-extension-architecture
high
Breaking changes follow semver
ab-002089 · plugin-extension-architecture
high
Conflicting plugins detected
ab-002092 · plugin-extension-architecture
low
Plugin dependency resolution
ab-002091 · plugin-extension-architecture
low
Incompatible plugins gracefully disabled
ab-002093 · plugin-extension-architecture
high
Plugin manifest required
ab-002090 · plugin-extension-architecture
high
Plugin error boundaries
ab-002082 · plugin-extension-architecture
critical
No global state pollution
ab-002085 · plugin-extension-architecture
high
Resource cleanup on removal
ab-002086 · plugin-extension-architecture
medium
Resource limits enforced
ab-002087 · plugin-extension-architecture
medium
Resource scoping enforced
ab-002083 · plugin-extension-architecture
critical
Permission-based sandboxing
ab-002084 · plugin-extension-architecture
high
Async hooks supported
ab-002078 · plugin-extension-architecture
high
Execution order defined
ab-002077 · plugin-extension-architecture
high
Clear hook registration API
ab-002076 · plugin-extension-architecture
critical
Plugin lifecycle hooks defined
ab-002075 · plugin-extension-architecture
critical
Before/after hook patterns
ab-002080 · plugin-extension-architecture
medium
Hook payloads typed
ab-002079 · plugin-extension-architecture
high
Hook unregistration supported
ab-002081 · plugin-extension-architecture
medium
Plugin API changelog maintained
ab-002098 · plugin-extension-architecture
low
Plugin authoring guide exists
ab-002094 · plugin-extension-architecture
high
Example plugin provided
ab-002096 · plugin-extension-architecture
low
Plugin loading mechanism documented
ab-002095 · plugin-extension-architecture
high
Plugin registry or marketplace
ab-002099 · plugin-extension-architecture
info
Test utilities for plugins
ab-002097 · plugin-extension-architecture
low
Rendering strategy matches content type (static pages use SSG, dynamic use SSR/ISR)
ab-002065 · performance-load
high
Client hydration is not blocking above-the-fold content
ab-002067 · performance-load
low
Loading states are present for async content (skeletons, spinners)
ab-002068 · performance-load
low
SEO-critical pages are not client-side rendered only
ab-002066 · performance-load
critical
No sequential API request waterfalls on page load
ab-002069 · performance-load
high
Images use modern formats (WebP, AVIF) or Next/Image component
ab-002053 · performance-load
high
Images specify width and height to prevent layout shift
ab-002054 · performance-load
high
Below-fold images use lazy loading
ab-002055 · performance-load
medium
Images are not significantly larger than their display size
ab-002057 · performance-load
low
Images use srcset or responsive image component for different screen sizes
ab-002056 · performance-load
low
API responses specify appropriate caching behavior
ab-002072 · performance-load
low
Gzip or Brotli compression is enabled for text assets
ab-002073 · performance-load
low
Static assets use content-hash filenames for cache busting
ab-002071 · performance-load
medium
Preconnect/dns-prefetch hints for third-party origins
ab-002074 · performance-load
info
Static assets have appropriate Cache-Control headers
ab-002070 · performance-load
high
Route-based code splitting is configured
ab-002059 · performance-load
high
Heavy libraries use dynamic imports (not loaded on every page)
ab-002062 · performance-load
low
Fonts use font-display: swap or optional, not block
ab-002063 · performance-load
medium
No individual JS bundles exceed 250KB gzipped
ab-002058 · performance-load
critical
No large unused dependencies in bundle
ab-002061 · performance-load
medium
Third-party scripts are loaded asynchronously
ab-002064 · performance-load
medium
Build tool supports tree shaking (no barrel file issues)
ab-002060 · performance-load
low
DOM node count under 1500 on typical page
ab-002034 · performance-deep-dive
medium
Garbage collection pauses under 50ms
ab-002033 · performance-deep-dive
medium
Showing first 500 of 2,527 — refine filters to narrow.