← Back to glossary

REST Architectural Constraints

api_design PHP 5.0+ Intermediate

Also Known As

REST Fielding constraints HATEOAS stateless API

TL;DR

The six constraints Fielding defined for REST — statelessness, uniform interface, client-server separation, cacheability, layered system, and optional code on demand.

Explanation

Roy Fielding's REST dissertation defines six constraints: Stateless (server holds no session state — each request is self-contained), Uniform Interface (consistent resource identification via URIs, manipulation via representations, self-descriptive messages, HATEOAS), Client-Server separation, Cacheable responses, Layered System (client cannot tell if it's talking to a proxy or origin), Code on Demand (optional — return executable code). Most 'REST' APIs violate HATEOAS, making them HTTP APIs rather than truly RESTful. Understanding the constraints explains why stateless APIs scale better.

Common Misconception

✗ Any HTTP API with JSON is REST — true REST requires HATEOAS (responses include links to related actions); most web APIs are more accurately called HTTP APIs.

Why It Matters

Understanding statelessness explains why session-based auth (server holds state) is incompatible with REST, and why JWT (client holds state) aligns better with REST principles.

Common Mistakes

Session-based authentication in a 'REST' API — violates statelessness; use JWT or API keys.
Verbs in URLs: POST /createUser — REST uses nouns (POST /users); the HTTP method is the verb.
Ignoring HATEOAS — without links, clients must hardcode URLs; with HATEOAS, the API is self-discoverable.
Status 200 for errors — violates uniform interface; clients cannot distinguish success from failure without parsing the body.

Code Examples

✗ Vulnerable

// Not REST — verbs in URLs, wrong HTTP methods, stateful:
POST /api/getUser?id=42         // Verb in URL, wrong method
POST /api/deleteOrder?id=10     // Should be DELETE /api/orders/10
GET  /api/createProduct         // GET should be read-only
// Session stored on server — violates stateless constraint

✓ Fixed

// REST-aligned:
GET    /api/users/42          // Get user
POST   /api/users             // Create user
PUT    /api/users/42          // Replace user
PATCH  /api/users/42          // Partial update
DELETE /api/orders/10         // Delete order

// HATEOAS response:
{
  "id": 42,
  "name": "Alice",
  "_links": {
    "self":   {"href": "/api/users/42"},
    "orders": {"href": "/api/users/42/orders"}
  }
}

References

↗ https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Perplexity 27 Amazonbot 15 ChatGPT 14 Google 5 Unknown AI 3 Ahrefs 2 Qwen 1

Also referenced

API Versioning 27 API Design Principles 25 HTTP Status Codes 22 GraphQL vs REST vs gRPC 18

How they use it

crawler 66 crawler_json 1

Related categories

architecture 1.8k networking 498 api_design 495

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Medium

⚡ Quick Fix

Ensure your API is stateless (no server-side session between requests), uses correct HTTP methods (GET safe, POST/PUT/DELETE unsafe), and returns appropriate status codes

📦 Applies To

PHP 5.0+ api

🔗 Prerequisites

HTTP Methods — Idempotency & Safety API Versioning stateless api

🔍 Detection Hints

GET requests with side effects; POST for retrieval; server-side session state between API calls; wrong HTTP status codes

Auto-detectable: ✗ No semgrep owasp-zap

⚠ Related Problems

API Design Principles Caching Strategies (APCu, Redis, Memcached) client confusion

🤖 AI Agent

Confidence: Low False Positives: High ✗ Manual fix Fix: Medium Context: File