JSON is the backbone of modern web APIs. Yet developers consistently make the same mistakes—mistakes that cause production outages, security vulnerabilities, and debugging nightmares. Here's what you need to know to work with JSON confidently in 2026.
Why JSON Validation Matters
Every API endpoint that accepts JSON is a potential attack vector. Invalid JSON can cause parser exceptions, unexpected behavior, or in some configurations, denial of service. More critically, unvalidated JSON often leads to type coercion bugs where a string "123" is used where an integer 123 is expected.
Always validate incoming JSON before processing it. Reject malformed requests with a 400 Bad Request and a clear error message. Never try to "fix" malformed JSON silently—it hides bugs and creates unpredictable behavior.
Common JSON Pitfalls
Trailing Commas
JavaScript allows trailing commas in arrays and objects. JSON does not. This is one of the most common causes of "Unexpected token" errors when copying code between a JavaScript file and a JSON configuration.
// JavaScript - Valid
const user = { name: "Alice", age: 30, };
// JSON - Invalid
{ "name": "Alice", "age": 30, } // Parse error!Single Quotes
JSON requires double quotes for all strings. Single quotes are invalid. This catches developers who write config files in JavaScript and then try to use them as JSON.
Comments
JSON does not support comments. If you need configuration files with comments, use JSON5 (a superset that allows comments) or switch to YAML. Many developers unknowingly try to parse JSON5 as JSON and are confused when it fails.
Numbers and Special Values
JSON has strict rules for numbers. No trailing decimal points, no octal or hexadecimal notation, no leading zeros. It also doesn't support Infinity, NaN, or undefined. If you need these values, you must handle them separately:
Infinity/-Infinity: Use a large number or a string "Infinity"NaN: Usenullor a string "NaN"undefined: Omit the field entirely or usenull
Security Considerations
Denial of Service via Large Payloads
A malicious client can send a 500MB JSON payload designed to exhaust your parser's memory. Set explicit size limits on incoming requests. Most APIs don't need payloads larger than 1-10MB. If you need to process larger files, use streaming parsers or accept data in chunks.
Prototype Pollution
JavaScript's object prototype system can be exploited if you merge user input into objects without validation. An attacker sending {"__proto__": {"admin": true}} could potentially escalate privileges if your code does naive object merging.
Always validate the structure of incoming JSON. Use JSON Schema or similar validation libraries to ensure the payload matches expected shapes.
Information Leakage in Errors
When JSON parsing fails, never expose raw error details (like file paths or library versions) to clients. Return a generic error message to the client while logging the details server-side. Stack traces in API responses are a common attack vector for reconnaissance.
Performance Tips
Streaming for Large Files
For JSON files larger than a few megabytes, use a streaming parser. Libraries like JSONStream (Node.js) or ijson (Python) process JSON incrementally, reducing memory usage dramatically for large API responses or log files.
Minification in Production
When sending JSON over the wire in high-traffic scenarios, consider minification. Stripping whitespace saves bandwidth. For logs and configuration that humans need to read, use pretty-printed JSON with 2-space indentation.
Tooling Recommendations
Use our JSON Formatter to validate and format JSON during development. It catches common syntax errors before they reach your parser and highlights structure for easier debugging. For production, integrate JSON Schema validation to enforce contract compliance on all API inputs.
Summary
- Always validate incoming JSON before processing
- Set explicit size limits on payloads to prevent DoS
- Avoid naive object merging to prevent prototype pollution
- Use streaming parsers for large files
- Keep JSON pure—only data, no comments, no trailing commas