173 patterns from real production sites
Every security gap, SEO miss, and performance issue we've learned across the network. Each pattern has a trigger, a proven fix, and a confidence score. Free to browse.
Any endpoint that trusts client-submitted prices or totals
Always fetch menu_items fresh from DB and recompute unit_price + options + subtotal server-side; never trust client total
pre_send_3_layer_validation
Format+15 blacklist+MX DNS gondermeden once kontrol
imap_bounce_cleanup
IMAP mailer-daemon bounce bul DB temizle mail sil
email_warmup_kademeli
Kademeli artis 10-25-40-50 Gmail ban koruma
spf_dkim_dmarc_setup
SPF+DKIM+DMARC 2.7x inbox orani
bounce_3_layer
Format+blacklist+MX 3 katman validation
ufw_docker_conflict
Contabo VPS'te UFW Docker iptables ile cakisir. UFW DROP kurali docker-proxy trafigini bloke eder host'tan curl 127.0.0.1:PORT timeout. Cozum: ufw --force disable. SSH 22 disinda public port yok zaten.
ufw_smtp_imap_outgoing
UFW default deny outgoing 587 (SMTP) ve 993 (IMAP) kapali => Gmail email gonderim ve bounce kontrol calismaz. ufw allow out 587/tcp, ufw allow out 993/tcp. Veya UFW disable.
sandbox_isolation_critical
Otonom agent ana sistemi bozmasin. Docker veya Git Worktree ile izole et.
pathname.startsWith('/restoran') incorrectly protects /restoran-basvuru public page
Use (pathname === '/restoran' || pathname.startsWith('/restoran/')) with explicit trailing slash
Admin might accidentally delete own account or demote own role
In every admin mutation, compare target_user_id with current auth.uid(); reject if equal
Concurrent spends could allow overdraft
SELECT SUM(amount) FOR UPDATE before inserting the negative spend row
Concurrent order creations with same coupon code — race condition on used_count
Use SECURITY DEFINER plpgsql function with FOR UPDATE lock to atomically validate+increment
supabase.auth.signOut() in server action after signInWithPassword verification
Use signOut({scope: 'local'}) OR use a separate verifier client with persistSession:false and skip signOut entirely
signInWithPassword verification inside server action disrupts main session cookies
Use separate anon client with {persistSession:false, autoRefreshToken:false} for password verification, then call updateUser on the main SSR client
spintax_spam_avoidance
Selam kapanis imza varyasyonu spam filtre koruma
Coupon validation (customer cart) requires SELECT access, but we don't want anyone browsing all coupon codes
Open SELECT policy (USING true) but server action still enforces domain logic (active, expiry, max_uses). Security by obscurity of codes + server validation.
Wrong iyzico sandbox key copied — errorCode 1001
Sandbox dashboard → Firma Ayarları → API Anahtarları (LEFT box, not Cep POS). Real keys are exactly 40 characters.
User can spam order creation
SELECT COUNT(*) FROM orders WHERE user_id=? AND created_at > now()-60s; block if >=3
Want these patterns applied to your site?
Connect your site and get personalized rules ranked for your tech stack and site type.
Scan your site free →