For input validation failure: 400 Bad Request + your optional description. This is suggested in the book “RESTful Web Services”. For double submit: 409 Conflict Update June 2014 The relevant specification used to be RFC2616, which gave the use of 400 (Bad Request) rather narrowly as The request could not be understood by the server … Read more
My feeling is 409 Conflict is the most appropriate, however, seldom seen in the wild of course: The request could not be completed due to a conflict with the current state of the resource. This code is only allowed in situations where it is expected that the user might be able to resolve the conflict … Read more
For a PUT request: HTTP 200, HTTP 204 should imply “resource updated successfully”. HTTP 201 if the PUT request created a new resource. For a DELETE request: HTTP 200 or HTTP 204 should imply “resource deleted successfully”. HTTP 202 can also be returned by either operation and would imply that the instruction was accepted by … Read more
A clear explanation from Daniel Irvine [original link]: There’s a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To … Read more