Dhameliya

Designing Systems That Are Hard to Misuse

Dhruval Dhameliya·October 3, 2025·6 min read
architecturereliability

How to design APIs, configurations, and system interfaces that guide users toward correct usage and make dangerous operations difficult to perform accidentally.

The best systems are not just easy to use correctly. They are hard to use incorrectly. This is a design philosophy that shifts the burden of correctness from the user to the system. If a user can misuse your API in a way that causes data loss, that is a design bug, not a user error.

Related: How I'd Design a Mobile Configuration System at Scale.

The Pit of Success

The concept is straightforward: design interfaces so that the natural, easy path leads to correct behavior. Making the wrong thing hard and the right thing easy is more effective than documentation, training, or code reviews.

Consider two API designs for deleting a user account:

// Easy to misuse
DELETE /users/{id}

// Hard to misuse
POST /users/{id}/deletion-requests
  { "confirmation": "DELETE", "reason": "user_requested" }

The second design requires explicit confirmation, captures the reason, and creates an auditable record. It also naturally supports a cooling-off period because the deletion request is a separate entity from the deletion itself.

Dangerous Defaults

The most common source of misuse is dangerous default behavior. When a parameter is omitted, the system should do the safe thing, not the convenient thing.

Examples of dangerous defaults I have encountered and fixed:

Dangerous defaultSafe alternative
Cascade delete enabled by defaultRequire explicit cascade flag
No rate limit on API endpointsConservative rate limit, increase on request
Unlimited query result sizeDefault page size with maximum cap
Connection pool with no timeoutConnection timeout of 5 seconds
Log level set to DEBUG in productionLog level defaults to WARN, configurable per environment
Retry with no backoffExponential backoff with jitter by default

Every dangerous default is a production incident waiting to happen. The team that configured it correctly will not be the team that inherits the system.

Type Systems as Guard Rails

Strong typing prevents entire categories of misuse. When you represent a user ID as a string, nothing prevents you from passing an email address where a user ID is expected. When you use a distinct type, the compiler catches the mistake.

Patterns I enforce:

  • Newtype wrappers for identifiers (UserId, OrderId, AccountId are distinct types, not all strings)
  • Enums for finite sets (status codes, feature flags, environment names are enums, not strings)
  • Units in type names (DurationMs, AmountCents, DistanceKm make the unit unambiguous)
  • Non-nullable by default (optional fields are explicitly marked, required fields cannot be null)

This adds some boilerplate. The trade-off is worth it because type errors are caught at compile time instead of in production.

Configuration Safety

Configuration is one of the most misuse-prone interfaces in any system. A wrong value in a config file can take down production as effectively as a code bug, but without the safety net of tests or code review.

My configuration design rules:

  • Validate on startup. If the configuration is invalid, the application refuses to start. Do not discover config errors at runtime.
  • Range-check numeric values. A thread pool size of 0 or 10,000 is almost certainly wrong. Reject it at startup.
  • Require explicit environment selection. Never let a production system accidentally connect to a staging database because someone omitted an environment variable.
  • Make dangerous options look dangerous. A flag like SKIP_ALL_VALIDATION=true should require a second confirmation flag like I_KNOW_WHAT_I_AM_DOING=true. This is not a joke. It has prevented incidents.

API Design for Safety

Beyond type safety, API design choices can prevent entire classes of misuse:

Make destructive operations reversible. Instead of hard-deleting records, soft-delete with a configurable retention period. The API returns a deletion receipt that can be used to undo the operation within the retention window.

Require confirmation for bulk operations. An endpoint that modifies thousands of records should require the caller to specify the expected count. If the actual count differs significantly, reject the request.

POST /users/bulk-deactivate
{
  "filter": { "last_login_before": "2024-01-01" },
  "expected_count": 1523,
  "tolerance_percent": 5
}

If the filter matches 15,000 users instead of 1,523, the operation fails with a count mismatch error.

Separate read and write endpoints. GET requests should never have side effects. This prevents accidental mutations from browser prefetching, caching proxies, or retry logic that assumes GET is safe.

Error Messages as Documentation

When a system rejects an input, the error message should tell the user exactly what is wrong and how to fix it. A message like "Invalid input" is useless. A message like "Field 'amount' must be a positive integer representing cents, received: -5.50" is actionable.

Good error messages include:

  • Which field or parameter is invalid
  • What the valid format or range is
  • What value was actually received
  • A suggestion for how to fix it

This is not a courtesy. It is a design decision that reduces support burden and prevents users from guessing their way into a different kind of misuse.

Immutability Where Possible

Mutable state is a source of misuse because it allows conflicting updates, lost updates, and state corruption. Where possible, I design for immutability:

  • Append-only event logs instead of mutable records
  • Versioned configurations instead of in-place updates
  • Immutable deployment artifacts instead of patching running systems
  • Copy-on-write semantics for shared data structures

When mutation is necessary, I enforce it through explicit state machines with validated transitions rather than arbitrary field updates.

Key Takeaways

  • The pit of success principle: make correct usage easy and incorrect usage difficult.
  • Dangerous defaults cause more production incidents than code bugs. Default to the safe behavior.
  • Strong typing with distinct types for identifiers, enums for finite sets, and units in type names prevents misuse at compile time.
  • Configuration must be validated on startup with range checks and explicit environment selection.
  • Destructive API operations should be reversible, require confirmation, and include count validation for bulk operations.
  • Error messages are a design interface. They should tell users exactly what is wrong and how to fix it.

See also: Designing a Feature Flag and Remote Config System.

Further Reading

Final Thoughts

Designing against misuse is not about distrusting your users. It is about respecting the reality that mistakes happen, context is lost, and the person using your system tomorrow may not have the same understanding as the person who built it today. Systems that are hard to misuse are systems that are safe to operate, and safety scales better than expertise.

Recommended

Designing an Offline-First Sync Engine for Mobile Apps

A deep dive into building a reliable sync engine that keeps mobile apps functional without connectivity, covering conflict resolution, queue management, and real-world trade-offs.

Jetpack Compose Recomposition: A Deep Dive

A detailed look at how Compose recomposition works under the hood, what triggers it, how the slot table tracks state, and how to control it in production apps.

Event Tracking System Design for Android Applications

A systems-level breakdown of designing an event tracking system for Android, covering batching, schema enforcement, local persistence, and delivery guarantees.