[dreamer7]

Most of the things described in this post are easy to mitigate without much additional development effort. Rate limiting, role based access etc are commodities now.

Implementing server-side validations is, in my opinion, mandatory. This is even more important for any API with more than 1 client - Android, iOS, Web etc. Not only does it prevent basic security breaches, but also it prevents hard to track bugs. More importantly, why would you not centralise business logic as much as possible instead of having to duplicate it on every client.

[ungawatkt]

Depending on what you mean by "start-up", those are all unfortunately still nice-to-haves, not mandatory, for a functioning app. Having just finished a stint as the main dev at a startup, even commodities still take a reasonable amount of effort for a top tier group of 1-5 people to manage, let alone the team you happen to have at the time (meaning not top tier, looking at myself here heh). Roll that into "we got funding and it's growth time, no space for architecture changes", it's not hard to see the path to skipping out on some things that are considered basic for a new project at a medium-large scale company. So not really against what you say, just a note that the ideal doesn't always match the reality

[dreamer7]

I understand how it ends up like this as I myself run a startup with a small tech team. Typically the issue is that we are always looking to add new features versus trying to fix issues from past. But I still believe that with good principles from the beginning, we will be able to build better software without costing us time