In a security sensitive context, a parser should return an error on a duplicate key regardless what common parsers do and what the RFC fails to specify.

Implicitly, that means no security software dealing with json should be written in Go, Javascript, ruby, python, etc (where practically everyone uses json parsers that silently ignore duplicate keys)

Plenty of languages do have common json libraries w/ duplicate key errors, like haskell (aeson), rust (serde_json), java (gson, org.json, probably others), so there's plenty of good choices.

So yeah, correct parse result is '400 bad request'

I overwrite with the last one.

Strictly not a parser problem.

Csv is also available.

And binary protocols, with index based implicit keys are and byte length prepended to variable length fields. Those are the gold standard (see ip and tcp headers.)