Checklist for Reviewing AI-Generated API Routes

[ ] Route only accepts the HTTP methods it handles — return 405 for others
[ ] Request body is parsed with a schema validator (Zod, Valibot) before any use
[ ] Path parameters are validated and typed — not passed raw to a database query
[ ] Query string parameters are validated — undefined values do not cause runtime errors
[ ] Response has the correct Content-Type header (application/json for JSON responses)
[ ] Pagination parameters have upper bounds — page size is capped server-side
[ ] Empty results return 200 with an empty array, not 404 (unless the resource itself is missing)
[ ] Created resources return 201, not 200
[ ] All code paths return a response — no async handler that falls through without sending
[ ] Async errors are caught — unhandled promise rejections crash Node.js
[ ] File upload handlers validate MIME type and file size before processing
[ ] Date and time inputs are validated as ISO 8601 and parsed with a safe library

[ ] Every protected route checks the session or token before any other logic runs
[ ] Authentication check is the first statement in the handler — not after logging or parsing
[ ] Authorization is checked — authenticated user can only access their own resources
[ ] Tenant or user ID used in DB queries comes from the session, not the request body or URL
[ ] IDOR (Insecure Direct Object Reference) is prevented — resource IDs are scoped to the user
[ ] Rate limiting is applied to mutation endpoints and authentication-adjacent routes
[ ] Mass assignment is prevented — only explicitly listed fields from the request are written to the DB
[ ] Error responses do not include stack traces, database errors, or internal paths
[ ] Sensitive fields (passwords, tokens, secrets) are excluded from response serialization
[ ] CORS is configured explicitly — Access-Control-Allow-Origin is not set to * for credentialed endpoints
[ ] Content-Type is validated on POST/PUT/PATCH — reject requests without application/json where expected
[ ] SQL and NoSQL injection is prevented — all queries use parameterized statements
[ ] Path traversal is prevented — file paths constructed from user input are resolved and validated
[ ] Uploaded files are stored outside the web root and served via a signed URL, not a direct path

[ ] Database queries inside the handler use indexes — check EXPLAIN for slow paths
[ ] N+1 queries in list endpoints are batched or replaced with a JOIN
[ ] Expensive operations are offloaded to a background queue — respond 202 Accepted
[ ] Response payloads contain only the fields the client needs — no full DB row serialization
[ ] Streaming is used for large responses — do not buffer gigabytes in memory
[ ] Caching headers (Cache-Control, ETag) are set on read-heavy public endpoints
[ ] Connection pooling is configured for the database client — no new connection per request

[ ] API routes are not publicly accessible before authentication middleware is active
[ ] Environment-specific base URLs are configured — no hardcoded localhost URLs
[ ] Health check endpoint (/health or /api/health) returns 200 and is excluded from auth
[ ] API versioning strategy is consistent — /api/v1/... if versioning is used at all
[ ] Rate limit configuration uses a distributed store (Redis) in multi-instance deployments
[ ] Request logging redacts sensitive fields — no passwords or tokens in logs
[ ] Timeout is set on upstream fetch calls — no route that hangs indefinitely on a slow service

[ ] AI has not put business logic before the auth check — always authenticate first
[ ] AI has not used parseInt() on user input without NaN handling — use Zod's z.coerce.number()
[ ] AI has not returned the full error object to the client — err.message can leak internals
[ ] AI has not used req.body without confirming body parsing middleware is active
[ ] AI has not skipped the OPTIONS handler on CORS-enabled routes
[ ] AI has not used a synchronous bcrypt or crypto call on the hot request path
[ ] AI has not generated a catch block that swallows errors silently — always log and respond
[ ] API keys or secrets are not accepted in query params — they appear in access logs