Can I add comments in JSON?

No. The JSON specification (RFC 8259) does not support comments. This is one of the most common complaints. Workarounds include using JSON5 (which allows comments), JSONC (JSON with Comments, used by VS Code), or switching to YAML or TOML for configuration files that need comments.

Is JSON5 or TOML a better alternative to JSON for config files?

TOML is better for most configuration: it supports comments, multiline strings, and datetime types natively, with a strict spec. JSON5 is closer to JSON but adds comments, trailing commas, and unquoted keys. TOML is more widely adopted in modern tooling (Rust, Python, Hugo).

Which format should I use for Docker Compose?

YAML. Docker Compose files are YAML by convention and requirement. The YAML format allows comments (useful for documenting service configurations) and has a cleaner syntax for the nested structures common in Docker configurations.

What are the security risks of YAML?

The main risks are: (1) arbitrary code execution through unsafe deserialization (always use safe_load in Python), (2) billion laughs attack via recursive anchors/aliases (set recursion limits), and (3) unexpected type coercion (yes/no as booleans, numbers interpreted as sexagesimal). JSON and TOML avoid these issues by design.

YAML vs JSON vs TOML: Configuration File Formats Compared

Configuration files are the backbone of modern software. Docker uses YAML, Node.js uses JSON, Rust uses TOML. Choosing the right format affects developer experience, tooling compatibility, and even security. This guide compares the three dominant configuration formats with identical data examples.

The Same Data in Three Formats

JSON:

{
  "name": "my-app",
  "version": "1.0.0",
  "database": {
    "host": "localhost",
    "port": 5432,
    "ssl": true
  },
  "features": ["auth", "logging", "cache"]
}

YAML:

name: my-app
version: "1.0.0"
database:
  host: localhost
  port: 5432
  ssl: true
features:
  - auth
  - logging
  - cache

TOML:

name = "my-app"
version = "1.0.0"
features = ["auth", "logging", "cache"]

[database]
host = "localhost"
port = 5432
ssl = true

Feature Comparison

Feature	JSON	YAML	TOML
Comments	Not allowed	`#` comments	`#` comments
Multiline strings	Escape with \n	`\|` and `>` blocks	`"""` triple-quote
Data types	String, number, boolean, null, array, object	All JSON types + dates, binary	String, integer, float, boolean, datetime, array, table
Anchors/aliases	Not supported	`&anchor` / `*alias`	Not supported
Trailing commas	Not allowed	N/A (no commas)	Allowed in arrays
Indentation-sensitive	No	Yes (spaces only)	No
Spec strictness	Very strict (RFC 8259)	Flexible (can be ambiguous)	Strict and unambiguous

Ecosystem Usage

JSON: package.json, tsconfig.json, .eslintrc.json, AWS CloudFormation, Terraform (also HCL)
YAML: Docker Compose, Kubernetes manifests, GitHub Actions, Ansible, Helm charts, OpenAPI specs
TOML: Cargo.toml (Rust), pyproject.toml (Python), Hugo config, Deno config, Netlify config

Security Considerations

YAML has the most security pitfalls:

Billion laughs attack: YAML anchors/aliases can create exponentially expanding data (similar to XML entity expansion). Always set recursion limits.
Arbitrary code execution: Some YAML parsers (notably Python's yaml.load()) can execute arbitrary code through special tags. Always use yaml.safe_load().
Type coercion surprises: YAML auto-interprets yes/no as booleans and 12:30 as sexagesimal numbers. Quote strings when in doubt.

JSON and TOML are inherently safer because they lack features that enable these attacks.

Recommendations

Use JSON for programmatic configuration that is generated or consumed by code, and for web/JavaScript ecosystems.
Use YAML for human-authored configuration in DevOps and infrastructure (Docker, K8s, CI/CD). Be mindful of security.
Use TOML for simple, flat-ish configuration where comments matter and you want strict, unambiguous parsing.

Convert between formats with the YAML to JSON and JSON to YAML converters on WizlyTools.

The Same Data in Three Formats

JSON:

{
  "name": "my-app",
  "version": "1.0.0",
  "database": {
    "host": "localhost",
    "port": 5432,
    "ssl": true
  },
  "features": ["auth", "logging", "cache"]
}

YAML:

name: my-app
version: "1.0.0"
database:
  host: localhost
  port: 5432
  ssl: true
features:
  - auth
  - logging
  - cache

TOML:

name = "my-app"
version = "1.0.0"
features = ["auth", "logging", "cache"]

[database]
host = "localhost"
port = 5432
ssl = true

Feature Comparison

Feature	JSON	YAML	TOML
Comments	Not allowed	`#` comments	`#` comments
Multiline strings	Escape with \n	`\|` and `>` blocks	`"""` triple-quote
Data types	String, number, boolean, null, array, object	All JSON types + dates, binary	String, integer, float, boolean, datetime, array, table
Anchors/aliases	Not supported	`&anchor` / `*alias`	Not supported
Trailing commas	Not allowed	N/A (no commas)	Allowed in arrays
Indentation-sensitive	No	Yes (spaces only)	No
Spec strictness	Very strict (RFC 8259)	Flexible (can be ambiguous)	Strict and unambiguous

Ecosystem Usage

JSON: package.json, tsconfig.json, .eslintrc.json, AWS CloudFormation, Terraform (also HCL)
YAML: Docker Compose, Kubernetes manifests, GitHub Actions, Ansible, Helm charts, OpenAPI specs
TOML: Cargo.toml (Rust), pyproject.toml (Python), Hugo config, Deno config, Netlify config

Security Considerations

YAML has the most security pitfalls:

Billion laughs attack: YAML anchors/aliases can create exponentially expanding data (similar to XML entity expansion). Always set recursion limits.
Arbitrary code execution: Some YAML parsers (notably Python's yaml.load()) can execute arbitrary code through special tags. Always use yaml.safe_load().
Type coercion surprises: YAML auto-interprets yes/no as booleans and 12:30 as sexagesimal numbers. Quote strings when in doubt.

JSON and TOML are inherently safer because they lack features that enable these attacks.

Recommendations

Use JSON for programmatic configuration that is generated or consumed by code, and for web/JavaScript ecosystems.
Use YAML for human-authored configuration in DevOps and infrastructure (Docker, K8s, CI/CD). Be mindful of security.
Use TOML for simple, flat-ish configuration where comments matter and you want strict, unambiguous parsing.

Convert between formats with the YAML to JSON and JSON to YAML converters on WizlyTools.

YAML vs JSON vs TOML: Configuration File Formats Compared

The Same Data in Three Formats

Feature Comparison

Ecosystem Usage

Security Considerations

Recommendations

Frequently Asked Questions

Related Tools

YAML vs JSON vs TOML: Configuration File Formats Compared

The Same Data in Three Formats

Feature Comparison

Ecosystem Usage

Security Considerations

Recommendations

Frequently Asked Questions

Related Tools