How do you validate a REST API response programmatically, and what assertions are critical for security and performance?