Fix route order and registration issues. Difficulty: Beginner

Fix authentication and CSRF validation bugs. Difficulty: Medium

Fix password verification vulnerability. Difficulty: Easy

Fix SQL injection vulnerabilities. Difficulty: Medium

Fix flash data handling issues. Difficulty: Medium

The search endpoint uses ILIKE — replace it with a tsvector full-text search. Difficulty: Medium

The posts endpoint uses the wrong JOIN type and wrong ON clause — fix both. Difficulty: Medium

The transfer endpoint has no ROLLBACK — a failed write corrupts the balance permanently. Difficulty: Medium

Fix three SQL bugs: injection, wrong column, and invalid response format Difficulty: Easy

The posts migration runs before the users migration, and uses SQLite syntax. Fix both. Difficulty: Medium

The posts controller ignores the metadata field — add it to the INSERT and SELECT. Difficulty: Medium

The users list endpoint dumps every row — add LIMIT and OFFSET to paginate it. Difficulty: Easy

A multi-tenant controller relies on PHP to filter data. Add Row-Level Security to enforce isolation at the database level. Difficulty: Hard

Identify columns missing indexes based on controller queries and add them to the migration. Difficulty: Medium

Nginx isn't forwarding PHP requests to PHP-FPM — fix the config Difficulty: Easy

The compose file only has the app service — add db and nginx Difficulty: Easy

Complete the Dockerfile for DALT.PHP — three parts are missing Difficulty: Easy

The app container boots before Postgres is ready. Add a healthcheck so depends_on can use condition: service_healthy. Difficulty: Easy

Convert the single-stage Dockerfile to a multi-stage build and add a HEALTHCHECK. Difficulty: Medium

The Postgres password is hardcoded in the compose file — move it to a Docker secret. Difficulty: Medium