Code review should contain the following:
Check if indentation is right, if certain naming convention is being followed, if lines are not too long etc. - All the things that improve readability.
Commented out code should be removed and there shouldn't be any log functions left from debugging (i.e. console.logging of variables)
The project should follow a certain architecture (MVC, Client-Server, Service oriented etc.) and should use proper code and design patterns and technologies. Code should be split into multiple layers and tiers as per requirements (Presentation, Business and Data layers).
Following best practices
Follow best practices for certain technology; don't hard code; Use framework features, wherever possible instead of writing custom code.
Code should be readable (you can get an idea of what's going on just by looking at it), easily testable, easy to debug and configurable (parts that are changeable shouldn't be hardcoded but dependent on some env variable or something similar).
Code should be reusable - follow DRY principle : everything that can be reused should be made into a service, a util function etc. Write generic classes and interfaces.
Code should be reliable - errors should be handled properly; i.e. proper error codes; using try-catches everywhere where there's a possibility for error so user never gets something unexpected.
Security threats should be handled : injection attacks (SQL, code injection) prevention mechanisms should exist, proper authentication and authorization should be implemented, Cross Site Scripting (XSS), encrypting the sensitive data. - TOP 10 OWASP
Last but not least, performance is important - don't use nested loops if there's no need for it, don't use loggers, code optimization, database call times etc.