AI-coding hygiene

no-hardcoded-localhost

Flag hardcoded `localhost`/`127.0.0.1`/`0.0.0.0` URLs that ship to production.

AI tools paste local-dev URLs straight from curl tests; the result is a feature that 404s every real user. Test and fixture file paths (`tests/`, `__tests__/`, `cypress/`, `playwright/`, `e2e/`, `*.test.*`, `*.spec.*`) are exempted by filename.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

fetch('http://localhost:3000/api/users');

Good:

fetch(process.env.NEXT_PUBLIC_API_URL + '/users');

Related rules

• no-placeholder-codeFlag `throw new Error("not implemented")` and TODO/FIXME stubs the AI left behind.
• no-ssrfFlag outbound HTTP calls whose URL is derived from request input (CWE-918).
• no-leaked-env-on-clientFlag non-public `process.env.X` reads from `"use client"` or `*.client.{ts,tsx}` files.

Use it

Enable no-hardcoded-localhost in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-hardcoded-localhost': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules