CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

REST Architectural Constraints

API Design PHP 5.0+ Intermediate
debt(d7/e7/b7/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7), since semgrep can flag some patterns (verbs in URLs, wrong status codes) but most REST violations like statelessness or missing HATEOAS require human API review.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7), because fixing REST violations (removing session state, restructuring URLs, adding HATEOAS links, correcting status codes) touches every endpoint in the API.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (b7), since the choice of REST constraints (or violation thereof) shapes every endpoint, auth strategy, and client integration across the API surface.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), per the misconception that any JSON-over-HTTP API is REST; developers confidently build 'REST APIs' that violate statelessness and HATEOAS without realizing it.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

REST Fielding constraints HATEOAS stateless API

TL;DR

The six constraints Fielding defined for REST — statelessness, uniform interface, client-server separation, cacheability, layered system, and optional code on demand.

Explanation

Roy Fielding's REST dissertation defines six constraints: Stateless (server holds no session state — each request is self-contained), Uniform Interface (consistent resource identification via URIs, manipulation via representations, self-descriptive messages, HATEOAS), Client-Server separation, Cacheable responses, Layered System (client cannot tell if it's talking to a proxy or origin), Code on Demand (optional — return executable code). Most 'REST' APIs violate HATEOAS, making them HTTP APIs rather than truly RESTful. Understanding the constraints explains why stateless APIs scale better.

Common Misconception

Any HTTP API with JSON is REST — true REST requires HATEOAS (responses include links to related actions); most web APIs are more accurately called HTTP APIs.

Why It Matters

Understanding statelessness explains why session-based auth (server holds state) is incompatible with REST, and why JWT (client holds state) aligns better with REST principles.

Common Mistakes

  • Session-based authentication in a 'REST' API — violates statelessness; use JWT or API keys.
  • Verbs in URLs: POST /createUser — REST uses nouns (POST /users); the HTTP method is the verb.
  • Ignoring HATEOAS — without links, clients must hardcode URLs; with HATEOAS, the API is self-discoverable.
  • Status 200 for errors — violates uniform interface; clients cannot distinguish success from failure without parsing the body.

Code Examples

✗ Vulnerable 
// Not REST — verbs in URLs, wrong HTTP methods, stateful:
POST /api/getUser?id=42         // Verb in URL, wrong method
POST /api/deleteOrder?id=10     // Should be DELETE /api/orders/10
GET  /api/createProduct         // GET should be read-only
// Session stored on server — violates stateless constraint
✓ Fixed 
// REST-aligned:
GET    /api/users/42          // Get user
POST   /api/users             // Create user
PUT    /api/users/42          // Replace user
PATCH  /api/users/42          // Partial update
DELETE /api/orders/10         // Delete order

// HATEOAS response:
{
  "id": 42,
  "name": "Alice",
  "_links": {
    "self":   {"href": "/api/users/42"},
    "orders": {"href": "/api/users/42/orders"}
  }
}
Added 15 Mar 2026
Edited 22 Mar 2026
Views 126

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 1 ping M 1 ping T 1 ping W 2 pings T 3 pings F 1 ping S 8 pings S 2 pings M 3 pings T 1 ping W 0 pings T 0 pings F 1 ping S 0 pings S 1 ping M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 1 ping T 0 pings W
Agents 0
No pings yet today
PetalBot 1
Perplexity 28 ChatGPT 19 Amazonbot 18 Scrapy 17 Google 9 Ahrefs 4 Unknown AI 3 Bing 2 Qwen 1 Claude 1 Meta AI 1 SEMrush 1 PetalBot 1
Also referenced
API Design Principles 74 API Versioning 59 HTTP Status Codes 47 GraphQL vs REST vs gRPC 36
How they use it
crawler 101 crawler_json 4
Related categories
architecture 3.2k networking 1k api_design 913
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
Ensure your API is stateless (no server-side session between requests), uses correct HTTP methods (GET safe, POST/PUT/DELETE unsafe), and returns appropriate status codes
📦 Applies To
PHP 5.0+ api
🔗 Prerequisites
🔍 Detection Hints
GET requests with side effects; POST for retrieval; server-side session state between API calls; wrong HTTP status codes
Auto-detectable: ✗ No semgrep owasp-zap
⚠ Related Problems
🤖 AI Agent
Confidence: Low False Positives: High ✗ Manual fix Fix: Medium Context: File
✓ schema.org compliant