Even line-height
in CSS3 is draft. Saying no drafts should be implemented is a ridiculous standpoint: a standpoint not even Firefox aligns with:
Standardization requirements for shipping features
What evidence is necessary will vary, but generally this will be:
W3C - the specification is at the Candidate Recommendation maturity level or more advanced; shipping from a Working Draft or a less advanced specification requires evidence of agreement within the working group that shipping is acceptable
https://wiki.mozilla.org/ExposureGuidelines
But keep moving those goal posts.
Don’t use JSON for the response unless you include the response header to specify it’s
application/json
. You’re better off with regular plaintext unless the request header Accept asked for JSON and you respond with the right header.That also means you can send a response based on what the request asked for.
403 Forbidden (not Unauthorized) is usually enough most of the time. Most of those errors are not meant for consumption by an application because it’s rare for 4xx codes to have a contract. They tend to go to a log and output for human readers later, so I’d lean on text as default.