Overall - I really like the guidelines you've created here - it would be great to create this as a website and continually refine these guidelines and provide more motivations/reasons supporting the different guidelines.
2. For #9 kebab case doesn't obfuscate table names - should remove this guideline
3. For #19 Can't use https/SSL/cookies/authorization headers and Access-Control-Allow-Origin: *
4. For #15 - the reason you don't want to pass tokens in the URL vs the header is that the URL is typically logged and the token would be visible in the logs whereas the header isn't typically logged and is easier to filter if you are logging request headers.