Code Review Checklist for Beginners — 20 Things to Check

□ SQL injection risk?

Does any database query concatenate or format user input? Use parameterized queries only.

□ XSS risk?

Is user input rendered in HTML without sanitization? Use textContent or DOMPurify.

□ Secrets in code?

Any API keys, passwords, or tokens hardcoded? Should use environment variables.

□ Input validated?

Is all user input validated for type, length, and format before processing?

□ Authentication/authorization?

Does every protected endpoint verify the user has permission?

□ Null/undefined checks?

Are values that could be null/undefined checked before access?

□ Error handling?

Are exceptions caught? Are async errors handled? Is error state shown to users?

□ Edge cases covered?

Empty arrays, zero, negative numbers, very long strings — tested?

□ Off-by-one errors?

Are loop bounds correct? Are array indices within range?

□ Race conditions?

In async code, can two operations interfere if they run simultaneously?

□ Function size

Is any function longer than 50 lines? Should be split.

□ Naming clarity

Do variable/function names describe what they contain/do?

□ Dead code

Is there commented-out code, unused variables, or unreachable branches?

□ Duplicate logic

Is the same logic repeated in multiple places? Should be extracted.

□ Magic numbers

Are numbers like 86400 or 0.05 unexplained? Should be named constants.

□ Tests added?

Does the PR include tests for the new behavior? Are edge cases tested?

□ Comments updated?

If behavior changed, are comments and docs updated to match?

□ README updated?

If new setup steps or env vars are required, is README updated?

□ PR description clear?

Does the PR explain WHAT changed and WHY? Easy to review and revert?

□ No debug code?

No console.log, print(), or temporary test code left in?