Backend

Error Handling

• Never expose stack traces to clients—log internally, return generic message
• Structured error responses: code, message, request ID—enables debugging without leaking
• Fail fast on bad input—validate at entry point, not deep in business logic
• Unexpected errors: 500 + alert—expected errors: appropriate 4xx

Input Validation

• Validate everything from outside—query params, headers, body, path params
• Whitelist valid input, don't blacklist bad—reject unknown fields
• Validate early, before any processing—save resources, clearer errors
• Size limits on all inputs—prevent memory exhaustion attacks

Timeouts Everywhere