Verbs in URL paths (/getUser, /createOrder) | REST anti-pattern | Use nouns with HTTP methods |
200 OK returned for error conditions | Incorrect status code | Use appropriate 4xx/5xx codes |
| No input validation on request handlers | Security and data integrity risk | Validate at the boundary |
| Stack traces or internal paths in error responses | Information disclosure | Use standard error format, log details server-side |
| Inconsistent field naming (camelCase vs snake_case) | Breaks predictability | Pick one convention and apply everywhere |
| Missing pagination on list endpoints | Performance risk at scale | Add cursor or offset pagination |
| Breaking change without version bump | Backwards compatibility violation | Bump version or make the change additive |
| No rate limiting on public endpoints | Abuse and availability risk | Implement rate limiting with appropriate headers |
| No idempotency on payment/financial endpoints | Duplicate processing risk | Require idempotency keys |
| API docs maintained separately from code | Documentation drift | Generate docs from source (OpenAPI, introspection) |