backend-fundamentalslisted

# Backend Fundamentals Review > "APIs are contracts. Break them, and you break trust." ## When to Apply Activate this skill when reviewing: - API route handlers - Express/Fastify/Hono middleware - Database queries and models - Authentication/authorization logic - Server-side business logic --- ## Review Checklist ### API Design - [ ] **RESTful**: Do routes follow REST conventions? (GET for read, POST for create, etc.) - [ ] **Naming**: Are endpoints nouns, not verbs? (`/users` not `/getUsers`) - [ ] **Versioning**: Is API versioned for future changes? (`/api/v1/`) - [ ] **Status Codes**: Are correct HTTP status codes returned? ### Separation of Concerns - [ ] **Routes**: Do routes only handle HTTP concerns (req/res)? - [ ] **Controllers**: Is business logic in controllers/services, not routes? - [ ] **Services**: Is data access abstracted from business logic? - [ ] **Models**: Are models responsible only for data shape/validation? ### Error Handling - [ ] **Try/Catch**: Are async operations wrapped properly? - [ ] **Error Responses**: Are errors returned with proper status codes? - [ ] **Logging**: Are errors logged with context? - [ ] **No Leaks**: Are internal errors hidden from clients? ### Security - [ ] **Input Validation**: Is ALL input validated before use? - [ ] **Authentication**: Are protected routes actually protected? - [ ] **Authorization**: Can users only access their own data? - [ ] **Rate Limiting**: Are endpoints protected from abuse? --- ## Co