Hidden Assumptions in django-rest-framework

Authentication classes in DEFAULT_AUTHENTICATION_CLASSES are executed in the exact order listed, and the first successful authentication result is used without checking subsequent authenticators

If this fails: If a weaker authentication method is listed before a stronger one, the weaker method will always be used even when stronger credentials are present, potentially bypassing intended security policies

Related objects fetched during serialization will not exceed Django's default query limits or cause memory exhaustion, regardless of relationship depth or cardinality

If this fails: Serializing models with deep or wide relationships (e.g., user with 10,000 posts, each with 100 comments) can trigger thousands of database queries or consume gigabytes of memory, causing timeouts or OOM crashes

JSON request bodies are reasonably sized and can be fully loaded into memory, with no streaming or size limits enforced by the parser

If this fails: Attackers can send extremely large JSON payloads (multi-gigabyte) that consume all available memory during parsing, causing denial of service through memory exhaustion

URL pattern generation assumes standard REST conventions where ViewSet method names (list, create, retrieve, update, destroy) directly map to HTTP methods without conflicts or ambiguity

If this fails: Custom ViewSets with non-standard method names or multiple methods handling the same HTTP verb can generate conflicting URL patterns, causing routing failures or wrong view methods being called

Parsed request data in request.data is always a dictionary-like object that supports key access, even when the original request body was a JSON array or primitive value

If this fails: If a client sends a valid JSON array or string as the request body, accessing request.data['field'] will raise TypeError or KeyError instead of properly handling non-dict JSON structures

The BrowsableAPIRenderer is safe to expose in production environments and doesn't leak sensitive information through the HTML interface or debug features

If this fails: The browsable API can expose internal model structures, field validation details, and available endpoints to unauthorized users if left enabled in production, creating an information disclosure vulnerability

Response.data contains only JSON-serializable Python primitives (str, int, float, bool, list, dict, None) and never contains Django model instances, custom objects, or circular references

If this fails: If Response.data contains non-serializable objects, the JSONRenderer will raise TypeError during response generation, causing 500 errors instead of proper API responses

Client Accept headers are static for the duration of the request and don't change based on response content or intermediate processing steps

If this fails: If custom middleware modifies Accept headers after content negotiation has occurred, the wrong renderer may be selected, causing format mismatches between what the client expects and what gets returned

Page numbers in pagination will remain within reasonable integer bounds and won't cause performance issues when accessing very high page numbers on large datasets

If this fails: Requesting page 999999 on a queryset with millions of records will cause OFFSET queries that are extremely slow or timeout, as database performance degrades linearly with OFFSET size

All datetime strings in API requests follow the configured input format or ISO 8601, and timezone information is handled consistently across all datetime operations

If this fails: Mixed timezone data or unexpected datetime formats can cause silent timezone conversion errors, leading to off-by-hours timestamp storage that corrupts time-sensitive business logic