✅ Stack-Specific Review Checklists and Release Criteria

Intro: A good secure-engineering guide changes pull requests and release reviews. This page turns the stack guidance into short checklists teams can actually use.

What this page includes

• review checklists by stack family
• release criteria that catch structural mistakes
• how to scale review quality without slowing everything down
• what to automate first

Backend service checklist

• request validation present and explicit;
• authN and authZ paths separated clearly;
• object-level authorization verified;
• secrets loaded from approved mechanisms only;
• debug and admin routes reviewed;
• high-risk actions logged with actor and object context.

Frontend checklist

• cookies and session posture validated;
• no secrets in build artifacts;
• API origins and CORS aligned with production intent;
• third-party scripts inventoried;
• upload and download flows reviewed.

CI-friendly release criteria

Automate first:

• secret scanning;
• dependency and container scanning;
• config linting;
• infrastructure policy checks;
• artifact provenance where maturity allows.

Reserve human review for:

• tenant isolation decisions;
• admin-plane changes;
• high-risk data flows;
• new federation or third-party trust paths.

Related pages

• Code Vulnerability Examples and Fixes by Language
• GitLab CI YAML Deep Dive

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.