JSON

## Schema & Validation - Always validate against JSON Schema before processing untrusted input—don't assume structure - Define schemas for API responses—catches contract violations early - Use `additionalProperties: false` to reject unknown fields in strict contexts ## Naming & Consistency - Pick one convention and stick to it—`camelCase` for JS ecosystems, `snake_case` for Python/Ruby - Avoid mixed conventions in same payload—`userId` alongside `user_name` confuses consumers - Use plural for collections: `"users": []` not `"user": []` ## Null Handling - Distinguish "field is null" from "field is absent"—they mean different things - Omit optional fields entirely rather than sending `null`—reduces payload, clearer intent - Document which fields are nullable in schema—don't surprise consumers ## Dates & Times - Always use ISO 8601: `"2024-01-15T14:30:00Z"`—no ambiguous formats like `"01/15/24"` - Include timezone or use UTC with `Z` suffix—local times without zone are useless - Timestamps as strings, not epoch integers—human-readable, no precision loss ## Numbers & IDs - Large IDs as strings: `"id": "9007199254740993"`—JavaScript loses precision above 2^53 - Money as string or integer cents—never float: `"price": "19.99"` or `"price_cents": 1999` - Avoid floats for anything requiring exactness—currency, coordinates with precision ## Structure Best Practices - Keep nesting shallow—3 levels max; flatten or split into related endpoints - Consistent envelope for APIs: `{"data": ..., "meta": ..., "errors": ...}` - Paginate large arrays—never return unbounded lists; include `next`/`prev` links or cursor ## API Response Patterns - Errors as structured objects: `{"code": "INVALID_EMAIL", "message": "...", "field": "email"}` - Include request ID in responses for debugging: `"request_id": "abc-123"` - Return created/updated resource in response—saves client a follow-up GET ## Serialization - `toJSON()` method silently overrides output—Date becomes string, custom classes may surprise - Map, Set, BigInt don't serialize—need custom replacer function - Circular references throw—detect cycles before stringify or use libraries like `flatted` - Strip sensitive data before serializing—don't rely on client to ignore extra fields ## Parsing Safety - `__proto__` key can pollute prototypes—sanitize input or use `Object.create(null)` - Parse in try/catch—malformed JSON from external sources is common - Reviver function for type reconstruction: dates, BigInt, custom types ## Unicode - Emoji need surrogate pairs in escapes: 😀 = `\uD83D\uDE00`—single `\u1F600` invalid - Control chars U+0000–U+001F must be escaped—pasted text may contain invisible ones - BOM at file start breaks parsing—strip `\uFEFF` from file input