typescript Errors
391 error patterns
TS2304: Cannot find name 'X'
TS2304.*Cannot find name
- •Import the type/value
- •Install @types/ package
TS2305: Module has no exported member
TS2305.*has no exported member
- •Check export name spelling
- •Verify package version has that export
TS2307: Cannot find module or its type declarations
TS2307.*Cannot find module
- •Install the package or @types/ package
- •Add module declaration in .d.ts file
TS2322: Type X is not assignable to type Y
TS2322.*Type.*is not assignable to type
- •Fix type mismatch or add type assertion
- •Widen the target type
TS2339: Property does not exist on type
TS2339.*Property.*does not exist on type
- •Add property to interface/type
- •Use type assertion
TS2345: Argument type not assignable to parameter
TS2345.*Argument of type.*is not assignable to parameter
- •Fix argument type to match parameter
- •Widen parameter type
TS2531: Object is possibly null
TS2531.*Object is possibly 'null'
- •Add null check before usage
- •Use non-null assertion (!) if certain
TS2532: Object is possibly undefined
TS2532.*Object is possibly 'undefined'
- •Add undefined check
- •Provide default value with ??
TS2314: Generic type requires type argument(s)
TS2314.*Generic type.*requires.*type argument
- •Provide type parameter: Array<string>
- •Use type inference where possible
TS2344: Type does not satisfy constraint
TS2344.*Type.*does not satisfy the constraint
- •Ensure type extends the constraint
- •Add required properties to type
TS2416: Property not assignable to base type
TS2416.*Property.*in type.*is not assignable to the same property in base type
- •Match return type/parameters of base method
- •Widen the override type
TS2420: Class incorrectly implements interface
TS2420.*Class.*incorrectly implements interface
- •Implement all required interface members
- •Match property types exactly
TS2551: Property typo - did you mean?
TS2551.*Did you mean
- •Fix the typo to correct property name
- •Check interface definition
TS2556: Spread argument must be tuple type
TS2556.*A spread argument must.*have a tuple type or be passed to a rest parameter
- •Use 'as const' assertion on array
- •Define tuple type explicitly
TS2571: Object is of type unknown
TS2571.*Object is of type 'unknown'
- •Add type guard (instanceof, typeof)
- •Use type assertion after validation
TS2590: Union type too complex
TS2590.*Expression produces a union type that is too complex to represent
- •Simplify union by grouping types
- •Use type assertion to break complexity
TS2589: Type instantiation excessively deep
TS2589.*Type instantiation is excessively deep
- •Add recursion limit to recursive types
- •Simplify conditional type nesting
TS2741: Property missing in type
TS2741.*Property.*is missing in type
- •Add the missing property
- •Make property optional with ?
TS2352: Type assertion may be a mistake
TS2352.*Conversion of type.*may be a mistake
- •Use double assertion: as unknown as T
- •Fix the underlying type mismatch
TS2454: Variable used before assignment
TS2454.*Variable.*is used before being assigned
- •Initialize variable at declaration
- •Add definite assignment assertion (!)
TS2564: Property not definitely assigned in constructor
TS2564.*Property.*has no initializer and is not definitely assigned
- •Add ! definite assignment assertion
- •Initialize in constructor
TS2769: No overload matches this call
TS2769.*No overload matches this call
- •Check all overload signatures for matching one
- •Fix argument types
TS2365: Operator cannot be applied to types
TS2365.*Operator.*cannot be applied to types
- •Convert types before comparison
- •Use proper type for arithmetic
TS2366: Function lacks ending return statement
TS2366.*Function lacks ending return statement
- •Add return statement for all code paths
- •Return undefined explicitly
TS2430: Interface incorrectly extends interface
TS2430.*Interface.*incorrectly extends interface
- •Make property types compatible
- •Use Omit to exclude conflicting props
TS2688: Cannot find type definition file
TS2688.*Cannot find type definition file
- •Install @types/ package
- •Remove from types in tsconfig.json
TS2503: Cannot find namespace
TS2503.*Cannot find namespace
- •Import the namespace
- •Add triple-slash reference
TS2355: Function must return a value
TS2355.*A function whose declared type is neither.*void.*undefined.*must return a value
- •Add return statement
- •Change return type to void
TS2375: Duplicate index signature
TS2375.*Duplicate number index signature
- •Remove duplicate index signature
- •Merge into single signature
TS2394: Overload not compatible with implementation
TS2394.*This overload signature is not compatible with its implementation
- •Make implementation signature wider than all overloads
- •Fix parameter/return types
TS2448: Variable used before declaration
TS2448.*Block-scoped variable.*used before its declaration
- •Move variable declaration above usage
- •Restructure code flow
TS2493: Tuple has no element at index
TS2493.*Tuple type.*of length.*has no element at index
- •Check tuple length before accessing
- •Use optional tuple elements
TS2538: Type cannot be used as index
TS2538.*Type.*cannot be used as an index type
- •Convert to string or number
- •Add index signature to target type
TS2540: Cannot assign to read-only property
TS2540.*Cannot assign to.*because it is a read-only property
- •Remove readonly modifier
- •Create new object with spread
TS2542: Index signature only permits reading
TS2542.*Index signature in type.*only permits reading
- •Remove Readonly wrapper
- •Create mutable copy
TS2559: Type has no properties in common
TS2559.*Type.*has no properties in common with type
- •Check you're using the correct type
- •Add shared properties
TS2615: Circular type reference
TS2615.*Type of property.*circularly references itself
- •Break circular reference with type alias
- •Use interface instead of type alias
TS2683: this implicitly has type any
TS2683.*'this' implicitly has type 'any'.*no type annotation
- •Add this parameter type
- •Use arrow function
TS2684: this context of callback is void
TS2684.*.*parameter of.*callback.*is.*void
- •Bind callback to correct this
- •Use arrow function for callback
TS2698: Spread types from object types only
TS2698.*Spread types may only be created from object types
- •Ensure spread target is object type
- •Add type guard before spreading
TS2706: Required type param after optional
TS2706.*Required type parameters may not follow optional
- •Reorder type parameters
- •Add default to required param
TS2742: Inferred type cannot be named
TS2742.*The inferred type.*cannot be named
- •Add explicit type annotation
- •Export the referenced type
TS2749: Refers to value but used as type (use typeof)
TS2749.*refers to a value.*used as a type.*typeof
- •Use typeof X to get type of value
- •Import the type instead of value
TS2775: Assertion requires explicit type annotation
TS2775.*Assertions require every name in the call target to be declared with an explicit type annotation
- •Add explicit return type to assertion function
- •Annotate function as asserts parameter
TS2786: Not a valid JSX component
TS2786.*is not a.*JSX component
- •Check component returns valid JSX element
- •Fix React types version mismatch
TS2792: Cannot find module (moduleResolution issue)
TS2792.*Cannot find module.*Did you mean to set.*moduleResolution
- •Set moduleResolution to bundler or node16
- •Add .js extension to imports
TS2794: Expected N arguments but got M
TS2794.*Expected.*arguments.*got
- •Add missing arguments
- •Make parameters optional
TS2799: satisfies - type not assignable
TS2799.*is not an assignable type
- •Fix value to match satisfies constraint
- •Widen the satisfies type
TS5023: Unknown compiler option
TS5023.*Unknown compiler option
- •Check TypeScript version supports the option
- •Fix typo in tsconfig.json
TS6133: Variable declared but never used
TS6133.*is declared but.*never (used|read)
- •Remove unused variable
- •Prefix with _ to ignore
TS1375: await only at top level of module
TS1375.*'await'.*only allowed.*top level.*module
- •Set module to es2022 or esnext in tsconfig
- •Wrap in async function
TS2312: Interface can only extend object type
TS2312.*An interface.*only extend.*object type.*intersection.*statically known members
- •Use type intersection instead of extends
- •Ensure base is interface/object type
TS2315: Type is not generic
TS2315.*Type.*is not generic
- •Remove type arguments
- •Check if correct type is imported
TS2321: Duplicate index signature
TS2321.*Duplicate.*index signature.*type
- •Combine index signatures into union
- •Remove duplicate
TS2326: Property types incompatible
TS2326.*Types of property.*are incompatible
- •Make property types match
- •Use union type to accept both
TS2329: Index signature not assignable in mapped type
TS2329.*Index signature.*type.*is not assignable.*mapped
- •Adjust mapped type constraint
- •Add index signature to source
TS2335: super only in derived class
TS2335.*'super' can only be referenced in a derived class
- •Add extends clause to class
- •Remove super call from non-derived class
TS2349: Expression not callable, no call signatures
TS2349.*This expression is not callable.*has no call signatures
- •Check type has function signature
- •Fix union type to callable members only
TS2353: Object literal excess property check
TS2353.*Object literal may only specify known properties.*not exist in type
- •Remove extra property
- •Add property to target type
TS2362: Arithmetic requires number/bigint
TS2362.*The left-hand side of an arithmetic operation must be.*number.*bigint.*enum
- •Convert value to number first
- •Add type guard for number
TS2367: Comparison always true/false, types have no overlap
TS2367.*comparison.*always.*'(true|false)'.*no overlap
- •Fix the comparison logic
- •Check for type narrowing issues
TS2370: Rest element must be last
TS2370.*A rest element must be last in a destructuring pattern
- •Move ...rest to end
- •Use intermediate variable
TS2378: get accessor must return value
TS2378.*A 'get' accessor must return a value
- •Add return statement to getter
- •Check all code paths return
TS2393: Duplicate function implementation
TS2393.*Duplicate function implementation
- •Remove duplicate function
- •Use overload signatures properly
TS2395: Merged declarations must match export
TS2395.*Individual declarations in merged declaration.*must be all exported or all local
- •Export all declarations with same name
- •Make all non-exported
TS2397: Function not usable as decorator
TS2397.*Function.*cannot be used as a decorator
- •Fix decorator factory return type
- •Enable experimentalDecorators
TS2411: Property not assignable to string index type
TS2411.*Property.*of type.*is not assignable to.*index type
- •Make property type compatible with index signature
- •Remove index signature
TS2440: Import conflicts with local declaration
TS2440.*Import declaration conflicts with local declaration
- •Rename local variable
- •Use import alias
TS2460: No property and no string index
TS2460.*Type.*has no property.*and no string index signature
- •Add property to type
- •Add string index signature
TS2464: Computed property name type error
TS2464.*A computed property name must be.*type
- •Ensure computed key is string/number/symbol
- •Use as const for literal key
TS2474: const enum initializer must be constant
TS2474.*In 'const' enum declarations member initializer must be constant expression
- •Use only literal values or other enum members
- •Remove const from enum
TS2476: const enum accessed dynamically
TS2476.*A 'const' enum member can only be accessed using a string literal
- •Use string literal to access const enum
- •Remove const from enum declaration
TS2497: Module resolves to non-module entity
TS2497.*Module.*resolves to a non-module entity.*cannot be imported
- •Use import = require() syntax
- •Set esModuleInterop: true
TS2500: Module augmentation in unrelated file
TS2500.*Augmentation.*module.*in unrelated file
- •Add import from the module being augmented
- •Move augmentation to proper declaration file
TS2515: Non-abstract class missing abstract member
TS2515.*Non-abstract class.*does not implement.*abstract member
- •Implement the abstract method/property
- •Make class abstract
TS2554: Expected N arguments but got M
TS2554.*Expected.*arguments.*but got
- •Pass correct number of arguments
- •Make parameters optional
TS2555: Expected at least N arguments
TS2555.*Expected at least.*arguments.*but got
- •Add missing required arguments
- •Check which params are required
TS2339: Property does not exist on type never
TS2339.*Property.*does not exist.*type.*'never'
- •Add type annotation to empty array/variable
- •Fix exhaustive check logic
TS2722: Cannot invoke possibly undefined
TS2722.*Cannot invoke an object which is possibly 'undefined'
- •Add optional call: fn?.()
- •Check function exists before calling
TS2717: Subsequent declarations must match type
TS2717.*Subsequent property declarations must have the same type
- •Use consistent type across declarations
- •Fix interface merging conflict
TS4058: Return type from external module
TS4058.*Return type of exported function has.*name.*from.*external module.*not augmented
- •Re-export the external type
- •Add explicit return type annotation
TS4060: Return type cannot be named in declaration
TS4060.*Return type of.*method.*has.*cannot be named
- •Add explicit return type annotation
- •Export the referenced type
TS6059: rootDir expected to contain all source files
TS6059.*rootDir.*is expected to contain all source files
- •Adjust rootDir in tsconfig.json
- •Move source files under rootDir
TS6305: Output file not built from source (composite)
TS6305.*Output file.*has not been built from source file
- •Run tsc --build to build references
- •Check composite project references
TS6306: Referenced project must have composite: true
TS6306.*Referenced project.*must have setting.*composite.*true
- •Add composite: true to referenced tsconfig
- •Enable declaration: true as well
TS6307: File not listed in project file list
TS6307.*File.*is not listed within the file list of project
- •Add file to include in tsconfig.json
- •Check rootDir covers the file
TS18046: Variable is of type unknown
TS18046.*is of type 'unknown'
- •Add type guard (typeof, instanceof)
- •Use type assertion after validation
TS18048: Value is possibly undefined
TS18048.*value is possibly 'undefined'
- •Add undefined check
- •Use nullish coalescing (??)
TS7006: Parameter implicitly has any type
TS7006.*Parameter.*implicitly has an 'any' type
- •Add type annotation to parameter
- •Enable noImplicitAny to catch these
TS7016: No declaration file for module
TS7016.*Could not find a declaration file for module
- •Install @types/package
- •Create custom .d.ts declaration
TS7053: Element has implicit any via indexing
TS7053.*Element implicitly has an 'any' type because expression.*can't be used to index
- •Add index signature to type
- •Use keyof constraint
TS1343: import.meta needs module setting
TS1343.*'import\.meta' only.*with.*module
- •Set module to es2020+ in tsconfig
- •Use esnext module option
TS1479: Module not found relative to baseUrl
TS1479.*Could not find a declaration file.*relative to baseUrl
- •Verify paths configuration in tsconfig
- •Check baseUrl is set correctly
TS2694: Namespace has no exported member
TS2694.*Namespace.*has no exported member
- •Check namespace export spelling
- •Update @types/ package version
TS2320: Interface cannot extend conflicting types
TS2320.*Interface.*cannot simultaneously extend.*different members
- •Resolve conflicting property types
- •Use Omit to exclude conflicts
TS4114: Member must have override modifier
TS4114.*This member must have an 'override' modifier
- •Add override keyword to method
- •Check noImplicitOverride setting
TS1240: Cannot resolve class decorator signature
TS1240.*Unable to resolve signature of class decorator
- •Fix decorator factory return type
- •Use proper ClassDecorator type
TS2790: delete operand must be optional
TS2790.*The operand of a 'delete' operator must be optional
- •Mark property as optional in type
- •Use Partial<T> for the type
TS1371: Import never used as value
TS1371.*This import is never used as a value.*cannot.*'importsNotUsedAsValues'
- •Use 'import type' syntax
- •Set verbatimModuleSyntax: true
TS2880: Template literal type too complex
TS2880.*Template literal type.*produces.*too complex
- •Simplify template literal combinations
- •Use string instead of literal union
React Native TurboModule not found
react-native.*TurboModule.*could not find module
- •Ensure the native module is registered in the TurboModuleProvider
- •Run pod install (iOS) or gradle sync (Android) after adding module
React Native Fabric component not registered
react-native.*Fabric.*component.*not found in.*registry
- •Register component in the ComponentDescriptorProvider for Fabric
- •Ensure native component uses the new Fabric renderer API
React Native module resolution failure
react-native.*Error:.*Unable to resolve module.*from.*node_modules
- •Clear Metro bundler cache: npx react-native start --reset-cache
- •Delete node_modules and run npm install/yarn again
React Native native component not linked
react-native.*Invariant Violation.*requireNativeComponent.*was not found
- •Run 'npx react-native link' or rebuild native project
- •For iOS: cd ios && pod install && rebuild
React Native Hermes bytecode version mismatch
react-native.*Error:.*Hermes.*bytecode.*version mismatch
- •Clean build: cd android && ./gradlew clean
- •Delete build caches and Metro cache, rebuild from scratch
React Native bridge not available with New Architecture
react-native.*Error:.*bridge.*not available.*New Architecture
- •Migrate module from bridge to TurboModules/Fabric API
- •Use interop layer: RCTTurboModule bridging for gradual migration
React Native NativeModules property null
react-native.*TypeError.*Cannot read property '.*' of null.*NativeModules
- •Rebuild native project after adding new native module
- •Check native module is exported correctly in native code
React Native Watchman crawl failure
react-native.*Error:.*Watchman.*crawl failed
- •Restart Watchman: watchman shutdown-server && watchman
- •Delete watchman state: watchman watch-del-all
React Native codegen spec validation error
react-native.*codegen.*Error.*spec.*does not conform
- •Ensure TypeScript types in spec file match codegen requirements
- •Use supported codegen types: string, number, boolean, Object
React Native Flipper connection failure
react-native.*Error:.*flipper.*Could not connect to the Flipper server
- •Ensure Flipper desktop app is running on the same machine
- •Check Flipper port isn't blocked: default 9088/9089
React Native Animated value attached to multiple views
react-native.*Animated.*node.*attached to.*multiple views
- •Create separate Animated.Value instances for each view
- •Use useRef to ensure animated values aren't shared across renders
React Native NativeModule is null
react-native.*TypeError:.*null is not an object.*evaluating.*NativeModule
- •Rebuild the native app after adding the module (not just JS bundle)
- •Check native module is properly linked in MainApplication/AppDelegate
React Native Codegen compatibility error
react-native.*Error:.*unable to.*build.*Codegen.*not compatible
- •Ensure react-native version matches codegen expectations
- •Update @react-native/codegen to compatible version
React Native Fabric ShadowNode missing
react-native.*FabricError.*ShadowNode.*not found for tag
- •Ensure component is compatible with Fabric renderer
- •Check for race conditions between JS and native view lifecycle
React Native Hermes bytecode internal error
react-native.*Hermes.*InternalBytecodeError
- •Clear Hermes cache: delete android/app/build/generated/source/hermes
- •Update Hermes version by upgrading React Native
React Native VirtualizedList nested in ScrollView
react-native.*VirtualizedList.*should never be nested inside.*ScrollView
- •Use FlatList/SectionList's ListHeaderComponent/ListFooterComponent
- •Replace outer ScrollView with a single FlatList using renderItem
React Native immutable object modification attempt
react-native.*Error:.*You attempted to set the key.*on an object that is meant to be immutable
- •Spread the object to create a mutable copy: {...obj, key: newValue}
- •Don't mutate props or state directly
React Native AsyncStorage storage full
react-native.*AsyncStorage.*Could not get value.*database or disk is full
- •Clear unused AsyncStorage keys: AsyncStorage.removeItem('key')
- •Use MMKV or WatermelonDB for larger datasets
React Native Metro bundler cache corruption
react-native.*Metro.*error:.*SHA-1.*LOADING from cache
- •Clear Metro cache: npx react-native start --reset-cache
- •Delete node_modules/.cache and temp directories
React Native native module not linked properly
react-native.*Error:.*Native module.*not found.*Are you sure.*linked
- •Run 'npx pod-install' for iOS, './gradlew clean' for Android
- •Check react-native.config.js for auto-linking configuration
React Native headless task not registered
react-native.*Error:.*No task registered for key.*ReactNative.*HeadlessTask
- •Register task in index.js: AppRegistry.registerHeadlessTask('TaskName', () => task)
- •Ensure task name matches between native and JS registration
OAuth2 Authorization Code Expired
error.*invalid_grant.*authorization code.*expired
- •Ensure code is exchanged within 10 minutes of issuance
- •Implement automatic redirect to re-authorize on expiry
OAuth2 Refresh Token Revoked
error.*invalid_grant.*refresh token.*revoked
- •Clear stored tokens and redirect to login
- •Implement token rotation handling
OAuth2 PKCE Verifier Mismatch
PKCE.*code_verifier.*does not match.*code_challenge
- •Store code_verifier in session before redirect
- •Use same verifier for challenge generation and token exchange
OAuth2 Insufficient Scope
insufficient_scope.*required scope.*not granted
- •Add required scopes to authorization request
- •Request incremental authorization for new scopes
OAuth2 Invalid Client ID
error.*invalid_client.*client_id.*not found
- •Verify client_id matches registered application
- •Check environment-specific client IDs (dev vs prod)
OAuth2 Redirect URI Not Registered
error.*invalid_redirect_uri.*not registered
- •Add exact redirect_uri to provider's allowed list
- •Check trailing slashes and protocol (http vs https)
OAuth2 Unsupported Grant Type
error.*unsupported_grant_type
- •Use 'authorization_code' for web apps, 'client_credentials' for M2M
- •Check Content-Type is application/x-www-form-urlencoded
OAuth2 User Denied Consent
access_denied.*user.*consent
- •Handle denial gracefully with user-friendly message
- •Explain why permissions are needed before redirect
OAuth2 Invalid Client Secret
token_endpoint.*invalid_client_secret
- •Rotate client secret and update environment variables
- •Use client_secret_post or client_secret_basic correctly
OAuth2 State Parameter Mismatch (CSRF)
state.*parameter.*mismatch.*CSRF
- •Generate cryptographic random state before redirect
- •Store state in session/localStorage and verify on callback
JWT Signature Verification Failed
JsonWebTokenError: invalid signature
- •Verify signing key matches between issuer and verifier
- •Check algorithm matches (RS256 vs HS256)
JWT Token Expired
TokenExpiredError: jwt expired
- •Implement automatic token refresh before expiry
- •Add clock tolerance: verify(token, secret, {clockTolerance: 30})
JWT Malformed Token
JsonWebTokenError: jwt malformed
- •Verify token has three dot-separated parts
- •Check no extra whitespace or newlines in token
JWT Audience Claim Mismatch
JsonWebTokenError: jwt audience invalid.*expected
- •Set correct audience in verification: verify(token, key, {audience: 'api'})
- •Check aud claim in token matches your API identifier
JWT Issuer Claim Mismatch
JsonWebTokenError: jwt issuer invalid.*expected
- •Verify iss claim matches expected auth server URL
- •Check trailing slash consistency in issuer URL
JWT Algorithm None Attack Blocked
Error:.*algorithm.*none.*not allowed
- •Always specify allowed algorithms: verify(token, key, {algorithms: ['RS256']})
- •Never accept 'none' algorithm in production
JWT Subject Claim Invalid
JsonWebTokenError: jwt subject invalid
- •Check sub claim matches expected user identifier format
- •Verify subject validation regex allows actual values
JWT Key ID Not Found in JWKS
JWKSError: unable to find.*signing key.*kid
- •Refresh JWKS cache - key may have been rotated
- •Check kid in token header matches available keys
JWT Signing Key Missing
Error: secretOrPrivateKey must have a value
- •Set JWT_SECRET environment variable
- •Load private key from secure vault/KMS
JWT Not-Before Claim Violation
JsonWebTokenError:.*not before.*nbf
- •Wait until nbf time before using token
- •Add clock tolerance for time skew
CORS Missing Allow-Origin Header
Access-Control-Allow-Origin.*not.*present.*response
- •Add Access-Control-Allow-Origin header to server response
- •Configure CORS middleware with allowed origins list
CORS Preflight Request Failed
CORS.*preflight.*response.*not.*successful
- •Handle OPTIONS requests in server with 204 response
- •Add Access-Control-Allow-Methods and Allow-Headers
CORS Credentials With Wildcard Origin
credential.*not supported.*wildcard.*Access-Control-Allow-Origin
- •Replace '*' with specific origin when credentials:true
- •Use dynamic origin based on request Origin header
CORS Missing Allowed Header
Access-Control-Allow-Headers.*missing.*header.*request
- •Add custom header to Access-Control-Allow-Headers response
- •Include Authorization, Content-Type in preflight response
CORS Method Not Allowed
Access-Control-Allow-Methods.*does not contain.*method
- •Add required HTTP method to Access-Control-Allow-Methods
- •Include PUT, PATCH, DELETE for REST APIs
CORS Same-Origin Policy Block
Cross-Origin Request Blocked.*Same Origin Policy
- •Configure server CORS for frontend origin
- •Use reverse proxy to serve API under same origin
CORS Preflight Cache Expired
CORS.*Access-Control-Max-Age.*exceeded
- •Set Access-Control-Max-Age to cache preflight (86400 for 24h)
- •Reduce preflight frequency with appropriate max-age
CSP Connect-Src Violation
Refused to connect.*Content-Security-Policy.*connect-src
- •Add API domain to connect-src directive in CSP header
- •Use 'self' plus specific domains in connect-src
CSP Inline Script Blocked
Content-Security-Policy.*script-src.*inline.*blocked
- •Move inline scripts to external files
- •Add nonce to script tags: <script nonce='random'>
CSP Frame Ancestors Embedding Blocked
Content-Security-Policy.*frame-ancestors.*blocked
- •Add embedding domain to frame-ancestors directive
- •Use 'self' to allow same-origin embedding only
CSRF Token Mismatch
CSRF token mismatch.*expected.*received
- •Include CSRF token in request header (X-CSRF-Token)
- •Read token from meta tag or cookie before request
CSRF Session Expired
CSRF.*session.*expired.*please.*login
- •Refresh CSRF token when session renews
- •Implement auto-refresh of token before expiry
CSRF Double-Submit Cookie Mismatch
CSRF.*double.*submit.*cookie.*header.*mismatch
- •Ensure cookie value matches X-CSRF-Token header exactly
- •Set SameSite=Strict on CSRF cookie
CSRF Referer Check Failed
CSRF.*verification failed.*Referer.*checking
- •Set Referrer-Policy to no-referrer-when-downgrade
- •Add Referer header in API requests from SPA
XSS innerHTML Blocked by CSP
Refused to execute.*innerHTML.*Content-Security-Policy
- •Use textContent instead of innerHTML for text
- •Sanitize HTML with DOMPurify before insertion
React XSS via dangerouslySetInnerHTML
dangerouslySetInnerHTML.*script.*injected
- •Sanitize with DOMPurify.sanitize() before passing HTML
- •Use react-markdown or similar parser for safe rendering
Template Injection XSS
template.*injection.*expression.*evaluated
- •Never interpolate user input into template expressions
- •Use {{}} binding instead of v-html/[innerHTML]
XSS eval() Blocked by CSP
Refused to evaluate.*string.*CSP.*script-src
- •Replace eval() with JSON.parse() or safe alternatives
- •Remove 'unsafe-eval' from CSP and refactor code
Trusted Types innerHTML Violation
DOMException.*Failed to set.*innerHTML.*violates.*policy
- •Create TrustedTypePolicy for HTML sanitization
- •Use textContent for non-HTML content
XSS via JavaScript URL Protocol
Warning.*unsanitized.*user.*input.*href.*javascript:
- •Validate URLs start with https:// or relative path
- •Strip javascript: protocol from user-provided URLs
PostgreSQL Parameterized Query Syntax Error
pg.*error.*syntax error.*parameterized.*\$\d+
- •Use $1, $2 placeholders with values array in pg driver
- •Don't mix string interpolation with parameterized queries
MySQL Prepared Statement Parse Error
mysql.*ER_PARSE_ERROR.*prepared statement.*placeholder
- •Use ? placeholders in mysql2 with values array
- •Escape table/column names with backticks separately
SQLite Parameter Binding Index Error
sqlite3.*Error: SQLITE_RANGE.*column index out of range
- •Match number of ? placeholders to values array length
- •Use named parameters :name with object binding
SQL Cannot Parameterize Identifier
Error:.*cannot parameterize.*table name.*identifier
- •Whitelist allowed table/column names in code
- •Use query builder (Knex, Prisma) for dynamic identifiers
Auth0 Token Expired Unauthorized
Auth0.*invalid_token.*token.*expired.*unauthorized
- •Implement silent token refresh with getTokenSilently()
- •Use refresh tokens with offline_access scope
Auth0 Callback Access Denied
Auth0.*callback.*error.*access_denied
- •Check Auth0 Rules/Actions for blocking logic
- •Verify user email is verified if rule requires it
Auth0 Session Expired Login Required
Auth0.*login_required.*session.*expired
- •Use checkSession() on app load to detect state
- •Implement loginWithRedirect() as fallback
Clerk Session Not Found
Clerk.*session.*not found.*expired
- •Use useAuth() hook to check session state
- •Implement signIn.create() for re-authentication
Clerk Social Login Callback Error
Clerk.*social.*callback.*error.*oauth
- •Verify OAuth redirect URL is configured in Clerk dashboard
- •Check social connection credentials are valid
Supabase Auth Refresh Token Invalid
supabase.*auth.*invalid_refresh_token
- •Call supabase.auth.signOut() and redirect to login
- •Check refresh token hasn't been revoked server-side
Supabase Auth Email Not Confirmed
supabase.*auth.*email.*not.*confirmed
- •Resend confirmation email with supabase.auth.resend()
- •Check email confirmation settings in Supabase dashboard
Supabase Auth Duplicate Registration
supabase.*auth.*user.*already.*registered
- •Check if user exists before signup with signInWithOtp
- •Use upsert logic or link accounts for social+email
HTTPS Certificate Expired
MOZILLA_PKIX_ERROR_.*CERT.*EXPIRED
- •Renew certificate with certbot renew
- •Set up auto-renewal cron job for Let's Encrypt
HTTPS Incomplete Certificate Chain
unable to verify the first certificate
- •Include intermediate certificates in server config
- •Use fullchain.pem instead of cert.pem for Let's Encrypt
Node.js TLS Certificate Expired
CERT_HAS_EXPIRED|certificate has expired
- •Renew certificate and restart server
- •Update NODE_EXTRA_CA_CERTS if using custom CA
Node.js Missing CA Certificate
UNABLE_TO_GET_ISSUER_CERT_LOCALLY
- •Install ca-certificates package on server
- •Set NODE_EXTRA_CA_CERTS to custom CA bundle path
HSTS Preload Missing includeSubDomains
HSTS.*preload.*missing.*includeSubDomains
- •Add includeSubDomains to Strict-Transport-Security header
- •Set max-age to at least 31536000 (1 year)
SSL/TLS Version or Cipher Mismatch
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- •Update server to support TLS 1.2/1.3
- •Remove deprecated ciphers from server config
Self-Signed Certificate in Chain
self.*signed certificate.*chain
- •Replace self-signed cert with CA-signed certificate
- •Add self-signed CA to client trust store for internal use
OAuth2 Token Introspection Shows Inactive
OAuth.*token.*introspection.*inactive
- •Token was revoked - obtain new token via refresh or re-auth
- •Check token hasn't exceeded absolute session timeout
OAuth2 Missing PKCE Code Challenge
error.*invalid_request.*missing.*code_challenge
- •Generate code_challenge from code_verifier with S256
- •Include code_challenge_method=S256 in auth request
CORS Null Origin Rejected
CORS.*origin.*null.*not allowed
- •Don't allow 'null' origin in production (file:// or sandboxed)
- •Serve local files through http://localhost instead
CORS Custom Response Header Not Exposed
Access-Control-Expose-Headers.*missing.*custom
- •Add header name to Access-Control-Expose-Headers
- •Only safelisted headers are visible by default to JS
CSRF Token Cookie Missing
CSRF.*token.*not found.*cookie
- •Set CSRF cookie on initial page load/auth
- •Check cookie path and domain match request
XSS Sanitization Bypass via SVG
XSS.*sanitize.*bypass.*svg.*onload
- •Use DOMPurify with FORBID_TAGS:['svg'] if SVG not needed
- •Update sanitizer library to latest version
Helmet CSP Directive Configuration Error
helmet.*contentSecurityPolicy.*directive.*invalid
- •Use helmet.contentSecurityPolicy({directives:{...}}) format
- •Check directive names use camelCase in helmet config
Bearer Token Missing from Request
error.*unauthorized.*bearer.*token.*missing
- •Add Authorization: Bearer <token> header to requests
- •Check auth interceptor is attaching token
Bcrypt Missing Hash Arguments
bcrypt.*Error.*data and hash arguments required
- •Pass both plaintext and hash to bcrypt.compare()
- •Check password field is not null/undefined
Argon2 Memory Cost Too Low
argon2.*Error.*memory cost.*too low
- •Set memoryCost to at least 65536 (64MB)
- •Use argon2id variant for best security
Passport.js Serialize User Failed
passport.*Error.*Failed to serialize user
- •Implement serializeUser to store user.id in session
- •Verify user object has id property
Passport.js Deserialize User Failed
passport.*Error.*Failed to deserialize user
- •Implement deserializeUser to fetch user from DB by id
- •Handle case where user no longer exists (deleted)
Express Session Secret Missing
express-session.*secret.*required
- •Set SESSION_SECRET environment variable
- •Use crypto.randomBytes(64).toString('hex') for secret
Session Cookie SameSite None Requires Secure
session.*cookie.*SameSite.*None.*Secure
- •Set cookie.secure=true when SameSite=None
- •Use SameSite=Lax for same-site only (most cases)
CORS Cookie Not Sent Without Credentials
CORS.*cookie.*not sent.*credentials.*include
- •Set credentials:'include' in fetch/axios requests
- •Configure CORS with credentials:true on server
CSP Inline Style Blocked
Content-Security-Policy.*style-src.*inline.*blocked
- •Move inline styles to external CSS files
- •Add nonce to style elements for dynamic styles
Web Crypto API Not Available
ReferenceError: crypto.*not defined.*polyfill
- •Use crypto.subtle in browsers (HTTPS required)
- •Import crypto from 'crypto' in Node.js
CORS Private Network Access Blocked
Error.*CORS.*private network.*request
- •Add Access-Control-Allow-Private-Network:true header
- •Handle preflight with Private-Network-Access-Name
OAuth2 Token Revocation Failed
OAuth.*token.*revocation.*error
- •Send token_type_hint with revocation request
- •Verify revocation endpoint URL is correct
OpenID Connect Discovery Failed
OIDC.*discovery.*well-known.*failed
- •Check .well-known/openid-configuration URL is accessible
- •Verify issuer URL doesn't have trailing slash mismatch
Auth0 API Audience Not Registered
Auth0.*API.*audience.*not found
- •Create API in Auth0 dashboard with correct identifier
- •Use exact audience string in auth request
Clerk Publishable Key Invalid
Clerk.*publishable.*key.*invalid
- •Get correct publishable key from Clerk dashboard
- •Verify key matches environment (dev vs prod)
Supabase Auth PKCE Flow Error
supabase.*auth.*flow.*not supported.*PKCE
- •Use @supabase/ssr for server-side PKCE flow
- •Set flowType:'pkce' in Supabase client options
JWT RS256 Public Key Invalid Format
JWT.*RS256.*public key.*invalid
- •Ensure PEM format with BEGIN PUBLIC KEY header
- •Convert JWK to PEM using jose library
CSRF Protection Bypassed by SameSite Cookie
CSRF.*SameSite.*cookie.*cross-site
- •Set SameSite=Strict for session cookies
- •Implement additional CSRF token even with SameSite
DOMPurify Configuration Too Permissive
XSS.*DOMPurify.*config.*allowed.*tag.*bypass
- •Use default DOMPurify config (most restrictive)
- •Remove dangerous tags: FORBID_TAGS:['style','script','iframe']
ORM Raw Query SQL Injection Risk
SQL.*ORM.*raw query.*injection
- •Use parameterized queries even in raw(): Prisma.sql`...${param}`
- •Prefer ORM query builders over raw SQL
TLS Certificate Not Yet Valid
certificate.*not yet valid.*future date
- •Check server clock synchronization with NTP
- •Wait until certificate notBefore date
HSTS Max-Age Too Short for Preload
Strict-Transport-Security.*max-age.*too short
- •Set max-age to 31536000 (1 year) minimum
- •Include includeSubDomains and preload directives
Mixed Content HTTP Resource Blocked
Mixed Content.*https.*http.*blocked
- •Update all resource URLs to use HTTPS
- •Use protocol-relative URLs (//) or force HTTPS
Referrer Policy Leaking Sensitive URLs
Referrer-Policy.*unsafe-url.*leak
- •Set Referrer-Policy: strict-origin-when-cross-origin
- •Use no-referrer for sensitive pages
Web Crypto Requires Secure Context
SubtleCrypto.*operation.*not supported.*insecure context
- •Serve page over HTTPS (crypto.subtle needs secure context)
- •Use localhost for development (treated as secure)
OAuth2 Token Endpoint Auth Method Rejected
oauth.*token_endpoint_auth_method.*client_secret_basic.*rejected
- •Switch to client_secret_post (send in body)
- •Check provider supports your auth method
JWT Missing Required Claim (iat)
JWT.*claim.*required.*missing.*iat
- •Include iat (issued at) in JWT payload
- •Set requireClaims option to match expected claims
Auth0 Rule Throwing Unauthorized
Auth0.*rule.*error.*unauthorized
- •Debug Auth0 Rules in Real-time Webtask Logs
- •Check rule condition logic for edge cases
XSS via postMessage Without Origin Check
XSS.*postMessage.*origin.*unchecked
- •Always verify event.origin in message handler
- •Use specific targetOrigin in postMessage (not '*')
CORS Missing Vary Origin Header
CORS.*vary.*origin.*header.*missing
- •Add Vary: Origin header when reflecting origin dynamically
- •Prevents cache poisoning with wrong origin
Session Fixation - ID Not Regenerated
session.*fixation.*ID.*not regenerated
- •Call req.session.regenerate() after login
- •Destroy old session before creating new one
Clickjacking - Frame Options Missing
clickjacking.*X-Frame-Options.*not set
- •Set X-Frame-Options: DENY or SAMEORIGIN
- •Use CSP frame-ancestors instead (more flexible)
Cookie Missing HttpOnly Flag
cookie.*HttpOnly.*flag.*missing.*XSS
- •Set httpOnly:true on session and auth cookies
- •Prevents JavaScript access to cookie value
Open Redirect Vulnerability
open redirect.*url.*parameter.*unvalidated
- •Validate redirect URL against allowlist of domains
- •Use relative paths only for redirects
SSRF via User-Controlled URL
SSRF.*fetch.*user.*controlled.*URL
- •Validate URL against allowlist of permitted hosts
- •Block private IP ranges (10.x, 172.16.x, 192.168.x, 127.x)
Rate Limit 429 Too Many Requests
rate.*limit.*exceeded.*429.*too many requests
- •Implement exponential backoff in client
- •Add rate limit headers to response (X-RateLimit-Remaining)
Missing X-Content-Type-Options Header
helmet.*X-Content-Type-Options.*nosniff.*missing
- •Add X-Content-Type-Options:nosniff via helmet
- •Prevents MIME type sniffing attacks
Password Hash Timing Attack Vulnerability
password.*hash.*timing.*attack.*comparison
- •Use crypto.timingSafeEqual() for hash comparison
- •Use bcrypt.compare() which is timing-safe by default
API Key Exposed in Client Bundle
API.*key.*exposed.*client.*bundle
- •Move API key to server-side proxy endpoint
- •Use environment variables with NEXT_PUBLIC_ prefix only for public keys
Path Traversal Attack
path.*traversal.*\.\..*unauthorized.*access
- •Use path.resolve() and verify result is within allowed directory
- •Sanitize input: remove ../ and normalize path
Insecure Direct Object Reference
IDOR.*user.*accessing.*resource.*not.*owned
- •Always verify resource ownership against authenticated user
- •Use UUIDs instead of sequential IDs
Mass Assignment Vulnerability
mass.*assignment.*unexpected.*field.*update
- •Use DTOs/allowlist to accept only expected fields
- •Implement pick() utility to select allowed properties
JWT Algorithm Confusion Attack
JWT.*algorithm.*confusion.*HS256.*RS256
- •Always specify algorithms in verify: {algorithms:['RS256']}
- •Never accept HS256 when expecting RS256
Permissions Policy Feature Denied
helmet.*Permissions-Policy.*feature.*denied
- •Configure Permissions-Policy header for needed features
- •Allow camera/microphone with specific origins
Subresource Integrity Hash Mismatch
SRI.*integrity.*hash.*mismatch
- •Regenerate SRI hash with: shasum -b -a 384 file | base64
- •Update integrity attribute after CDN file changes
HTTP Public Key Pinning Failure
HPKP.*pin.*mismatch.*certificate
- •HPKP is deprecated - remove pin headers
- •Migrate to Certificate Transparency (Expect-CT)
Content-Disposition Header Injection
Content-Disposition.*attachment.*filename.*injection
- •Sanitize filename: remove special characters and path separators
- •Use Content-Disposition: attachment; filename*=UTF-8''encoded
NoSQL Injection in MongoDB Query
NoSQL.*injection.*\$gt.*\$ne.*query
- •Use mongo-sanitize to strip $ operators from input
- •Validate input types before building queries
Prototype Pollution via Object Merge
prototype.*pollution.*__proto__.*merge
- •Block __proto__, constructor, prototype keys in merge
- •Use Object.create(null) for dictionary objects
Regular Expression Denial of Service
ReDoS.*catastrophic.*backtracking.*regex
- •Use safe-regex or re2 library for untrusted patterns
- •Avoid nested quantifiers: (a+)+ or (a|b)*c
OAuth2 PKCE Using Plain Method Instead of S256
OAuth.*PKCE.*code_challenge_method.*plain.*insecure
- •Always use code_challenge_method=S256
- •Generate challenge with SHA-256 hash of verifier
JWT JKU Header Injection Attack
JWT.*jku.*header.*injection.*key
- •Ignore jku header - use locally configured JWKS endpoint
- •Validate jku URL against allowlist if used
CORS Origin Reflection Without Validation
CORS.*origin.*reflected.*without.*validation
- •Validate Origin against explicit allowlist
- •Never reflect arbitrary origins in Access-Control-Allow-Origin
State-Changing GET Request (CSRF Vulnerable)
CSRF.*GET.*request.*state.*changing
- •Use POST/PUT/DELETE for state-changing operations
- •Never modify data on GET requests
XSS via Event Handler Attribute
XSS.*event.*handler.*on\w+.*user.*input
- •Never set event handlers with user input
- •Use addEventListener instead of inline handlers
Auth0 Custom Domain CNAME Error
Auth0.*custom.*domain.*CNAME.*mismatch
- •Verify CNAME record points to Auth0 custom domain edge
- •Wait for DNS propagation after CNAME change
Clerk Webhook Signature Invalid
Clerk.*webhook.*signature.*verification.*failed
- •Use svix library to verify webhook signatures
- •Get correct signing secret from Clerk dashboard
Supabase RLS Policy Blocking Query
supabase.*RLS.*policy.*denied.*select
- •Create SELECT policy: USING (auth.uid() = user_id)
- •Enable RLS on table and add appropriate policies
TLS Handshake Protocol Version Failure
TLS.*handshake.*failed.*protocol.*version
- •Update to TLS 1.2 minimum (disable TLS 1.0/1.1)
- •Set minVersion:'TLSv1.2' in Node.js TLS options
CSP report-uri Deprecated
CSP.*report-uri.*deprecated.*use.*report-to
- •Migrate to report-to directive with Reporting-Endpoints header
- •Keep report-uri as fallback for older browsers
CORS Preflight Cache Poisoning
CORS.*preflight.*cache.*poisoning
- •Include Vary: Origin header in all CORS responses
- •Don't cache preflight responses at CDN without Origin key
Session Store Connection Lost
session.*store.*disconnect.*lost.*data
- •Use connect-redis with reconnect strategy
- •Implement session store fallback mechanism
WebAuthn Attestation Verification Failed
WebAuthn.*attestation.*verification.*failed
- •Update FIDO metadata service for latest attestation roots
- •Accept 'none' attestation for simpler deployment
WebAuthn Challenge Expired
WebAuthn.*challenge.*expired.*timeout
- •Regenerate challenge for each authentication attempt
- •Increase challenge timeout in server config
TOTP Code Verification Failed (Clock Skew)
TOTP.*verification.*failed.*time.*skew
- •Allow 1-step time window: verify with window:1
- •Synchronize server time with NTP
OAuth2 Device Flow Pending Authorization
OAuth.*device_code.*authorization_pending
- •Poll token endpoint at specified interval (not faster)
- •Show user the verification_uri and user_code
OAuth2 DPoP Proof Invalid
DPoP.*proof.*invalid.*nonce.*mismatch
- •Use nonce from server's DPoP-Nonce response header
- •Generate fresh DPoP proof for each request
Mutual TLS Client Certificate Missing
mTLS.*client.*certificate.*not.*provided
- •Configure client to present certificate in TLS handshake
- •Set requestCert:true, rejectUnauthorized:true on server
SCRAM Authentication Mechanism Error
SCRAM.*authentication.*failed.*mechanism
- •Verify SCRAM-SHA-256 is supported by both sides
- •Check username and password encoding (UTF-8 normalization)
OAuth2 Pushed Authorization Request Invalid
OAuth.*PAR.*pushed.*request.*invalid
- •Send all auth params to PAR endpoint first
- •Use returned request_uri in authorization redirect
FAPI Response Mode JWT Required
FAPI.*response.*mode.*jwt.*required
- •Set response_mode=jwt for FAPI compliance
- •Implement JARM (JWT Secured Authorization Response Mode)
CSP Worker Source Blocked
Content-Security-Policy.*worker-src.*blocked
- •Add worker-src directive with blob: and/or self
- •Include specific CDN domains hosting worker scripts
DOM Clobbering XSS Attack
XSS.*DOM.*clobbering.*named.*access
- •Don't access DOM elements by name/id on window
- •Use unique variable names that can't be clobbered
Credential Stuffing Attack Detected
credential.*stuffing.*detected.*account.*locked
- •Implement progressive rate limiting per IP and account
- •Add CAPTCHA after N failed attempts
CORS Private Network Request Header
CORS.*Access-Control-Request-Private-Network.*true
- •Respond with Access-Control-Allow-Private-Network: true
- •Handle preflight for private network access separately
JWT JWE Decryption Failed
JWT.*encryption.*JWE.*decryption.*failed
- •Verify decryption key matches encryption key ID
- •Check key encryption algorithm (RSA-OAEP vs A256KW)
CSP Upgrade Insecure Requests Not Working
CSP.*upgrade-insecure-requests.*mixed.*content
- •Add upgrade-insecure-requests to CSP header
- •Verify all resources have HTTPS versions available
OAuth2 Client Assertion JWT Invalid
OAuth.*client_assertion.*jwt-bearer.*invalid
- •Sign client assertion with correct private key
- •Set iss and sub to client_id, aud to token endpoint
CORS Auth Applied Before Preflight
CORS.*401.*unauthorized.*before.*preflight
- •Skip auth middleware for OPTIONS requests
- •Apply CORS headers before authentication check
Session Race Condition on Concurrent Requests
session.*race.*condition.*concurrent.*requests
- •Use session locking mechanism (connect-redis with lock)
- •Minimize session writes, prefer tokens for state
CSRF Token Missing in Multipart Form
CSRF.*multipart.*form.*boundary.*token
- •Include CSRF token as form field in multipart upload
- •Add token in custom header instead of form body
XSS via SVG foreignObject Element
XSS.*SVG.*foreignObject.*script
- •Strip foreignObject from user-uploaded SVGs
- •Sanitize SVG with DOMPurify SVG profile
Auth0 Management API Rate Limited
Auth0.*management.*API.*rate.*limit
- •Cache user/role data instead of fetching per request
- •Implement request queuing with rate limit awareness
Supabase JWT Secret Verification Mismatch
supabase.*JWT.*secret.*mismatch.*verify
- •Use SUPABASE_JWT_SECRET from project settings
- •Verify custom JWT with correct secret in Edge Functions
Third-Party Cookie Blocked (CHIPS Required)
cookie.*partition.*CHIPS.*third-party
- •Add Partitioned attribute to third-party cookies
- •Use CHIPS (Cookies Having Independent Partitioned State)
Fetch Metadata Cross-Site Request Blocked
Sec-Fetch-Site.*cross-site.*blocked
- •Implement Fetch Metadata request filtering
- •Allow cross-site for public APIs, block for admin
OAuth2 DPoP Bound Token Missing Proof
OAuth.*DPoP.*bound.*access.*token.*missing.*proof
- •Include DPoP proof header with every resource request
- •Generate fresh DPoP proof for each HTTP request
Cross-Origin Opener Policy Blocking Popup
COOP.*Cross-Origin-Opener-Policy.*blocked.*popup
- •Set Cross-Origin-Opener-Policy: same-origin-allow-popups
- •Use COOP: unsafe-none for OAuth popup flows
Cross-Origin Embedder Policy Blocking Resource
COEP.*Cross-Origin-Embedder-Policy.*blocked.*resource
- •Add crossorigin attribute to cross-origin resources
- •Have resource server send Cross-Origin-Resource-Policy header
Cross-Origin Resource Policy Blocking Load
CORP.*Cross-Origin-Resource-Policy.*blocked
- •Set Cross-Origin-Resource-Policy: cross-origin on resource server
- •Use same-site for resources shared within site
Reporting API Not Receiving Violations
report-to.*endpoint.*not.*receiving.*violations
- •Define Reporting-Endpoints header with valid URL
- •Use Report-To header for older Reporting API
OAuth2 PAR Request URI Expired
OAuth.*pushed.*authorization.*request.*URI.*expired
- •Use request_uri within 60 seconds of PAR response
- •Don't cache PAR request_uri values
Clear-Site-Data Not Working on Logout
HSTS.*clear.*site.*data.*logout
- •Set Clear-Site-Data: 'cookies','storage','cache' on logout response
- •Serve logout page over HTTPS (required for Clear-Site-Data)
Password Complexity Policy Not Met
password.*policy.*minimum.*complexity.*not.*met
- •Show specific requirements that aren't met
- •Use zxcvbn library for strength estimation instead of rules
Account Enumeration via Timing
account.*enumeration.*timing.*different
- •Use constant-time response for both existing and non-existing users
- •Return same message regardless of account existence
JWT Payload Too Large for Headers
JWT.*payload.*too.*large.*header.*limit
- •Reduce claims stored in JWT (use reference tokens)
- •Store session data server-side, keep JWT minimal
XSS via HTML Attribute Quote Breaking
XSS.*attribute.*injection.*quoted.*break
- •HTML-encode all user input in attributes
- •Use framework auto-escaping (React, Angular)
CORS Wildcard Subdomain Not Matching
CORS.*wildcard.*subfolder.*path.*not.*supported
- •List each subdomain explicitly in allowed origins
- •Implement dynamic origin validation with regex
OAuth2 Proof Key Confirmation Missing
OAuth.*proof.*key.*confirmation.*cnf.*missing
- •Include cnf claim in access token for DPoP binding
- •Verify token has cnf.jkt matching DPoP key thumbprint
Request ID Header Injection
security.*header.*X-Request-ID.*injection
- •Validate X-Request-ID format (UUID only)
- •Generate server-side request ID, don't trust client
OpenID Connect ID Token Nonce Mismatch
OAuth.*id_token.*nonce.*mismatch
- •Store nonce in session before auth request
- •Verify nonce in id_token matches stored value
Auth0 Social Connection Rate Limited
Auth0.*connection.*rate.*limit.*social
- •Implement caching for social profile data
- •Use Auth0 connection rate limit settings
mTLS Certificate Revoked via CRL
mTLS.*certificate.*revoked.*CRL
- •Remove revoked certificate from client
- •Issue new certificate from CA
CSP Base URI Not Restricted
CSP.*base-uri.*hijack.*injection
- •Add base-uri 'self' to Content-Security-Policy
- •Prevents base tag injection for relative URL hijacking
CSRF Token Strategy Decision
CSRF.*token.*per.*request.*vs.*per.*session
- •Use per-session token for simpler implementation
- •Per-request tokens prevent token reuse but break back button
XSS via Unicode Escape Sequences
XSS.*unicode.*escape.*bypass.*\\u0022
- •Normalize unicode before sanitization
- •Use context-aware output encoding
Supabase Auth Magic Link Expired
supabase.*auth.*magic.*link.*expired
- •Magic links expire in 1 hour by default
- •Resend magic link on expiry
CORS Request from file:// Protocol
CORS.*request.*from.*file.*protocol
- •Serve application via HTTP server for development
- •Use Live Server or similar for local file serving
Cookie Domain Mismatch Across Subdomains
cookie.*domain.*mismatch.*subdomain
- •Set cookie domain to .domain.com (with leading dot)
- •Use specific subdomain if cross-subdomain not needed
JWT EdDSA Algorithm Not Supported
JWT.*EdDSA.*algorithm.*not.*supported
- •Update jsonwebtoken library to version supporting EdDSA
- •Use jose library which supports EdDSA (Ed25519)
OAuth2 Authorization Code Replay Detected
OAuth.*authorization.*code.*replay.*detected
- •Authorization codes are single-use by spec
- •Revoke all tokens issued from replayed code
CSRF Origin Header Null from Sandbox
CSRF.*origin.*header.*null.*sandboxed
- •Don't rely solely on Origin header for CSRF protection
- •Combine Origin/Referer check with token-based CSRF
XSS via PDF JavaScript Injection
XSS.*PDF.*injection.*JavaScript.*action
- •Sanitize PDF content before serving to users
- •Set Content-Disposition: attachment for user PDFs
BREACH Compression Side Channel Attack
security.*BREACH.*compression.*side.*channel
- •Disable HTTP compression for pages with secrets
- •Add random padding to responses containing tokens
GraphQL Federation Subgraph Unreachable
GraphQL.*federation.*subgraph.*unreachable
- •Check subgraph service URL in supergraph config
- •Verify network connectivity from gateway to subgraph
GraphQL N+1 DataLoader Batch Size Exceeded
GraphQL.*N\+1.*dataloader.*batch.*exceeded
- •Set maxBatchSize in DataLoader options
- •Implement cursor-based pagination in resolvers
Webhook Delivery Failed All Retries
webhook.*delivery.*failed.*retry.*exhausted
- •Implement dead letter queue for failed webhooks
- •Use exponential backoff (1min, 5min, 30min, 2h, 24h)
API Version Content Negotiation Failed
API.*versioning.*content.*negotiation.*406
- •Set Accept header with version: application/vnd.api.v2+json
- •Support multiple versions simultaneously during migration
AWS CDK Asset Bundling Failed
CDK.*Error:.*Cannot find asset.*bundling.*failed
- •Check Docker is running for bundled assets
- •Verify entry point path in bundling options
AWS CDK Duplicate Construct ID
CDK.*Error:.*Construct.*already.*exists.*tree
- •Use unique IDs for each construct in same scope
- •Change scope or ID to avoid conflicts
AWS CDK Synthesis Token Resolution Error
CDK.*synthesis.*failed.*Invalid.*token
- •Ensure tokens are resolved at synth time, not deploy time
- •Use Lazy.string() for values computed at synth
AWS CDK Custom Resource Timeout
CDK.*Custom.*Resource.*timed out.*CREATE_FAILED
- •Increase timeout in CustomResource provider (default 30min)
- •Check Lambda backing custom resource for errors
AWS CDK Cross-Environment Reference Error
CDK.*Error:.*Cannot deploy.*cross-env.*reference
- •Use SSM parameters for cross-account/region values
- •Export values with CfnOutput and import with Fn.importValue
AWS CDK Stack Size Limit Exceeded
CDK.*Error:.*Maximum.*stack.*size.*exceeded
- •Split into nested stacks or multiple stacks
- •Reduce resource count with shared resources
AWS CDK Circular Stack Dependency
CDK.*Error:.*Circular dependency.*between.*stacks
- •Remove circular cross-stack references
- •Use SSM parameter store for shared values
AWS CDK Cannot Determine Deployed Template
CDK.*diff.*Cannot determine.*deployed.*template
- •Verify AWS credentials and region are correct
- •Check stack exists in CloudFormation
AWS CDK Bootstrap Stack Outdated
CDK.*Error:.*Bootstrap.*stack.*version.*too old
- •Run cdk bootstrap to update bootstrap stack
- •Check required bootstrap version: cdk bootstrap --show-template
AWS CDK Context Lookup Failed
CDK.*Error:.*context.*lookup.*failed.*account
- •Run cdk synth to populate context values
- •Provide context values in cdk.json or cdk.context.json
Pulumi Stack Reference Not Found
pulumi.*error:.*stack reference.*not found
- •Verify referenced stack name matches exactly (org/project/stack)
- •Deploy referenced stack first
Pulumi Automation API Stack Already Exists
pulumi.*error:.*automation.*API.*stack.*already.*exists
- •Use selectStack instead of createStack if exists
- •Add createOrSelectStack for idempotent stack creation
Pulumi Provider Configuration Missing
pulumi.*error:.*provider.*configuration.*missing
- •Set provider config: pulumi config set aws:region us-east-1
- •Export environment variables for provider auth
Pulumi Resource Already Exists (Import)
pulumi.*error:.*resource.*already.*exists.*import
- •Import existing resource: pulumi import <type> <name> <id>
- •Use import option in resource constructor
Pulumi Dependency Cycle Detected
pulumi.*error:.*dependency.*cycle.*detected
- •Remove circular dependsOn references
- •Use Output transforms to break dependency chain
AWS CDK Environment-Agnostic Stack Lookup Fail
CDK.*Error:.*environment.*agnostic.*stack.*lookup
- •Specify env: { account, region } in stack props
- •Use CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION env vars
AWS CDK CloudFormation Resource Limit
CDK.*Error:.*Maximum.*number.*of.*resources.*exceeded
- •Split into multiple stacks (500 resource limit per stack)
- •Use NestedStack for logical grouping
AWS CDK Lambda Layer Version Not Found
CDK.*Error:.*Cannot.*find.*layer.*version.*ARN
- •Verify layer ARN region matches stack region
- •Check layer version number exists
AWS CDK Pipeline Self-Mutation Failed
CDK.*Pipeline.*Error:.*self-mutation.*failed
- •Check pipeline IAM role has permissions for CDK deploy
- •Verify bootstrap stack is up to date in pipeline account
AWS CDK Physical Name Contains Tokens
CDK.*Error:.*physical.*name.*cannot.*contain.*tokens
- •Use PhysicalName.GENERATE_IF_NEEDED for cross-env
- •Provide explicit physical name without tokens
Pulumi Resource URN Update Conflict
pulumi.*error:.*updating.*urn.*conflict
- •Delete old resource and create new one
- •Use aliases to rename without replacement
Pulumi Output of Destroyed Resource
pulumi.*error:.*output.*of.*a.*destroyed.*resource
- •Remove references to destroyed resource outputs
- •Update dependent resources to use alternative values
Pulumi Cannot Decrypt Secrets
pulumi.*error:.*secret.*provider.*cannot.*decrypt
- •Verify encryption key/passphrase is correct
- •Set PULUMI_CONFIG_PASSPHRASE for local encryption
Pulumi Preview Diff Unavailable
pulumi.*error:.*preview.*failed.*diff.*unavailable
- •Run pulumi refresh to sync state with actual resources
- •Provider may not support full diff - check provider docs
Pulumi Transformations Deprecated
pulumi.*error:.*transformations.*deprecated.*use.*transforms
- •Migrate from transformations to transforms API
- •Use transforms: in ResourceOptions
AWS CDK Lazy Token Resolution Error
CDK.*Error:.*unable to resolve.*token.*lazy
- •Use Lazy.string/number for values computed during synth
- •Verify token producer returns correct type
AWS CDK Cross-Region Export Not Supported
CDK.*Error:.*exports.*cannot be.*consumed.*cross-region
- •Use SSM parameter store for cross-region values
- •Deploy SSM writer in source region, reader in target
Pulumi Component Children Orphaned
pulumi.*error:.*component.*resource.*children.*orphaned
- •Pass { parent: this } option to child resources
- •Use ComponentResource as parent for logical grouping
Pulumi Policy Pack Violation
pulumi.*policy.*violation.*mandatory
- •Fix resource configuration to comply with policy
- •Request policy exception from platform team
AWS CDK Retained Resources After Stack Delete
CDK.*Error:.*removal policy.*RETAIN.*stack deletion
- •Set removalPolicy: RemovalPolicy.DESTROY for dev resources
- •RETAIN is default for stateful resources (DB, S3)
Pulumi Import Resource ID Format Error
pulumi.*error:.*resource.*import.*ID.*format
- •Use provider-specific ID format (ARN for AWS, full path for GCP)
- •Check pulumi import documentation for resource type
Conditional type resolves to never
Type '.*' is not assignable to type 'never'
- •Check that your conditional type branches cover all cases
- •Add explicit type annotations to help TypeScript resolve the conditional
Recursive conditional type too deep
Type instantiation is excessively deep and possibly infinite
- •Add a recursion depth limit counter to your recursive conditional type
- •Use tail-call optimization pattern with accumulator type parameter
Infer keyword used outside extends clause
infer.*can only be used in.*extends clause
- •Move the infer keyword inside a conditional type's extends clause: T extends infer U ? U : never
- •Wrap your type in a conditional: type Result = T extends Array<infer U> ? U : T
Path mapping not resolving module
Cannot find module '.*' or its corresponding type declarations
- •Verify paths in tsconfig.json match the baseUrl-relative import pattern
- •Ensure baseUrl is set correctly in tsconfig.json
Declaration merging conflict
Duplicate identifier '.*'\. Compiler.*declaration merging
- •Ensure merged declarations are in the same module scope (both global or both module-scoped)
- •Check that interface properties don't conflict with incompatible types across declarations
Mapped type indexing loses type narrowing
Property '.*' does not exist on type '.*\[keyof.*\]'
- •Use a generic function with K extends keyof T to preserve the specific key type
- •Add an explicit type assertion or use a conditional type to narrow the mapped result
Template literal type combinatorial explosion
Template literal type.*produces a union type that is too complex
- •Reduce the number of union members in the template literal constituents
- •Split the type into smaller template literals and intersect or union them manually
Project references missing composite flag
Referenced project '.*' must have setting.*composite.*true
- •Add "composite": true to the referenced project's tsconfig.json compilerOptions
- •Also add "declaration": true which is required when composite is enabled
Decorator metadata reflection error
Unable to resolve signature of.*decorator when called as an expression
- •Enable "emitDecoratorMetadata": true and "experimentalDecorators": true in tsconfig.json
- •Ensure reflect-metadata is imported at the application entry point
Module augmentation not found
Module '.*' has no exported member '.*'.*Did you mean to use 'import.*from'
- •Ensure your augmentation file uses 'declare module' with the exact module specifier string
- •The augmentation file must contain at least one top-level import or export to be treated as a module
Infer constraint not satisfied in conditional type
Type '.*' does not satisfy the constraint '.*'.*infer
- •Add an explicit constraint to the infer clause: infer U extends string
- •Wrap the inferred type in a conditional check before using it
Invalid mapped type syntax with extra properties
A mapped type may not declare properties or methods
- •Use intersection type to combine mapped type with additional properties: MappedType & { extra: string }
- •Move additional properties to a separate interface and intersect
Namespace used as type instead of typeof
Cannot use namespace '.*' as a type
- •Use typeof Namespace to get the type of the namespace object
- •Import the specific type from the namespace: Namespace.TypeName
Project reference output stale or missing
Output file '.*' has not been built from source file '.*'.*project reference
- •Run tsc --build --force to rebuild all project references from scratch
- •Delete the tsconfig.tsbuildinfo file and rebuild
Deferred conditional type cannot be used directly
Type.*conditional type.*not yet resolved
- •Add a type constraint to help TypeScript eagerly resolve the conditional
- •Use a generic function instead of a type alias to defer evaluation to call site
Mapped type needed instead of index signature
An index signature parameter type cannot be a literal type or generic type
- •Use a mapped type [K in 'key1' | 'key2']: ValueType instead of index signature
- •Use Record<'key1' | 'key2', ValueType> utility type
Decorator applied to invalid target
Decorator.*not valid here.*only.*class declaration
- •Ensure the decorator is applied to a class, method, accessor, property, or parameter (not a standalone function)
- •Check that the decorator signature matches the target: ClassDecorator, MethodDecorator, PropertyDecorator, or ParameterDecorator
This-type mismatch in mapped/conditional type
The 'this' context of type '.*' is not assignable to method's 'this' of type
- •Use an arrow function to preserve the lexical 'this' context
- •Add an explicit this parameter to the function signature: method(this: CorrectType, ...)
Reflect API not available for decorator metadata
Cannot find name 'Reflect'.*emitDecoratorMetadata
- •Install and import reflect-metadata: import 'reflect-metadata' at the top of your entry file
- •Add "types": ["reflect-metadata"] to tsconfig.json compilerOptions
Recursive mapped type exceeds depth limit
Excessive stack depth comparing types.*recursive
- •Add a depth counter generic parameter and terminate recursion at a fixed depth
- •Use interface extends instead of type aliases for recursive structures (interfaces are lazily evaluated)
Prisma P2002 - unique constraint violation
P2002.*Unique constraint failed on the (fields|constraint).*\(`(.*)`\)
- •Use upsert() instead of create() for records that might already exist
- •Catch the P2002 error and return a user-friendly 'already exists' message
Prisma P2003 - foreign key constraint violation
P2003.*Foreign key constraint failed on the field.*`(.*)`
- •Ensure the referenced record exists before creating the child record
- •Use connect syntax to link existing records: create({ data: { relation: { connect: { id } } } })
Prisma P2025 - record not found for operation
P2025.*Record to (update|delete) not found|An operation failed because.*depends on.*record.*not found
- •Use findUnique() first to check existence, then update/delete with a guard
- •Use updateMany/deleteMany which return count 0 instead of throwing when no record matches
Prisma migration drift detected
P3005.*database.*is not empty.*migration|drift detected.*schema
- •Run prisma migrate diff to see what drifted from the expected schema
- •Use prisma migrate resolve --applied <migration_name> to mark migrations as already applied
Prisma schema validation error
P1012.*schema.*validation error|Error validating.*schema\.prisma
- •Run prisma validate to get detailed error location in schema.prisma
- •Check for missing relation annotations: every relation needs @relation on both sides
Prisma connection pool timeout
P2024.*Timed out fetching a new connection from the connection pool
- •Increase pool size in the connection string: ?connection_limit=20
- •Reduce long-running transactions that hold connections from the pool
Prisma P2021 - table not found in database
P2021.*table.*does not exist in the current database
- •Run prisma migrate deploy to apply pending migrations that create the table
- •Check DATABASE_URL points to the correct database
Prisma P2022 - column not found in database
P2022.*column.*does not exist in the current database
- •Run prisma migrate deploy to apply pending migrations that add the column
- •Check if the column was renamed — update the @map() annotation or create a new migration
Prisma cannot connect to database server
P1001.*Can't reach database server|Connection refused.*P1001
- •Verify the database is running and accepting connections on the specified host:port
- •Check DATABASE_URL format: postgresql://user:password@host:5432/dbname
Prisma database operation timeout or closed connection
P1008.*Operations timed out|P1017.*Server has closed the connection
- •Increase connection timeout in URL: ?connect_timeout=30
- •Check for database server restarts or network instability
Prisma P2014 - required relation violation
P2014.*change.*violates.*required relation.*between.*and
- •Ensure the operation doesn't orphan required relations — delete children first or use cascade
- •Set onDelete: Cascade in the @relation annotation if parent deletion should cascade
Prisma query interpretation error
P2016.*Query interpretation error|Error interpreting the query
- •Check for invalid filter combinations in your where clause
- •Ensure relation filters use the correct nesting: where: { relation: { some: { field: value } } }
Prisma client not generated or out of date
prisma generate.*ENOENT|Cannot find.*@prisma/client.*generate
- •Run npx prisma generate to regenerate the client after schema changes
- •Add prisma generate to your postinstall script: "postinstall": "prisma generate"
Prisma migration failed - object already exists
P3006.*Migration.*failed to apply.*Error code.*already exists
- •The migration is trying to create something that already exists — mark it as applied: prisma migrate resolve --applied <name>
- •If the database was modified outside Prisma, baseline with prisma migrate diff
Prisma unknown request error
PrismaClientUnknownRequestError|Unknown error.*Prisma Client
- •Check database server logs for the actual error — Prisma couldn't categorize it
- •Ensure the database version is compatible with your Prisma version
Prisma related records not found during connect
P2015.*related record.*not found|P2018.*connected records.*not found
- •Verify the ID or unique fields used in connect: { connect: { id: existingId } } point to real records
- •Use connectOrCreate instead of connect if the related record might not exist yet
Prisma interactive transactions not supported by provider
Prisma.*needs to perform transactions.*not supported.*provider
- •Upgrade to Prisma 4.7+ for broader interactive transaction support
- •Use sequential operations instead of interactive transactions for unsupported providers
Prisma feature not supported by database provider
P2026.*current database provider doesn't support.*feature
- •Check Prisma docs for provider-specific feature support (e.g., fullTextSearch requires PostgreSQL)
- •Add the preview feature flag in schema.prisma: generator client { previewFeatures = ["feature"] }
Prisma database seed script failure
Prisma.*seed.*error|prisma db seed.*failed
- •Check the seed script path in package.json: "prisma": { "seed": "ts-node prisma/seed.ts" }
- •For TypeScript seeds, ensure ts-node is installed and tsconfig allows the seed file
Prisma query engine binary not found
PrismaClientInitializationError.*engine.*not found|Query engine.*binary.*not found
- •Run prisma generate to download the correct engine binary for your platform
- •Set binaryTargets in schema.prisma: generator client { binaryTargets = ["native", "linux-musl-openssl-3.0.x"] }
TS2322: Type is not assignable
TS2322:.*Type '.*' is not assignable to type
- •Fix the type mismatch — ensure the value matches the declared type
- •Add a type assertion if you're certain of the type: `value as MyType`
TS2339: Property does not exist on type
TS2339:.*Property '.*' does not exist on type
- •Add the property to the interface/type definition
- •Use optional chaining if the property may not exist: `obj?.prop`
TS2345: Argument type mismatch
TS2345:.*Argument of type '.*' is not assignable to parameter of type
- •Ensure the argument matches the expected parameter type
- •Add a type assertion: `value as ExpectedType`
TS2532: Object is possibly undefined
TS2532:.*Object is possibly 'undefined'
- •Add a null/undefined check before accessing the object
- •Use optional chaining: `obj?.property`
TS2554: Wrong number of arguments
TS2554:.*Expected \d+ arguments?, but got \d+
- •Pass the correct number of arguments to the function
- •Make parameters optional with `?` if they're not always needed
TS2769: No overload matches this call
TS2769:.*No overload matches this call
- •Check which overload signatures exist and match your arguments to one
- •Cast arguments to the expected types for the correct overload
TS7006: Parameter implicitly has any type
TS7006:.*Parameter '.*' implicitly has an 'any' type
- •Add an explicit type annotation to the parameter
- •Set `"noImplicitAny": false` in tsconfig.json (not recommended)
TS18046: Value is of type unknown
TS18046:.*is of type 'unknown'
- •Narrow the type with a type guard: `if (value instanceof Error)`
- •Use a type assertion after validation: `(value as MyType)`
TS2307: Cannot find module or type declarations
TS2307:.*Cannot find module '.*' or its corresponding type declarations
- •Install the package: `npm install <package>`
- •Install type declarations: `npm install -D @types/<package>`
TS2531: Object is possibly null
TS2531:.*Object is possibly 'null'
- •Add a null check: `if (obj !== null)`
- •Use non-null assertion operator: `obj!` (only when certain)
TS2355: Function must return a value
TS2355:.*A function whose declared type is neither 'void' nor 'any' must return a value
- •Add a return statement for all code paths
- •Change the return type to include `undefined` or `void` if appropriate
TS2740: Type is missing required properties
TS2740:.*Type '.*' is missing the following properties from type
- •Add the missing properties to the object literal
- •Make the properties optional in the interface with `?`
TypeScript rootDir/project reference error
error TS6059:.*is not under 'rootDir'|TS6305:.*Output file.*has not been built from source
- •Ensure all source files are under the `rootDir` specified in tsconfig.json
- •Update `include`/`exclude` patterns in tsconfig.json
TS2304: Cannot find name
TS2304:.*Cannot find name '.*'
- •Import the type/variable from its module
- •Install type declarations: `npm install -D @types/node` or `@types/<lib>`
TS2688: Cannot find type definition file
TS2688:.*Cannot find type definition file for
- •Install the missing @types package: `npm install -D @types/<name>`
- •Remove the package from `types` array in tsconfig.json if not needed