What do you consider illegal as a response? what are the parameters
Executive summary
When an API receives input that violates expected format, semantics, or business rules, that input should be treated as an "illegal" request only insofar as it triggers a well-defined error response; the practical parameters for labeling a request illegal are request syntax/malformed content, semantic/validation failures, and resource/conflict conditions, with 400, 422 and 409 among the commonly recommended HTTP responses depending on the category [1] [2]. There is no universal consensus: standards, historical RFC changes, and de-facto practices among large APIs create gray areas and trade-offs between strict correctness and developer ergonomics [3] [2].
1. Defining “illegal” vs. invalid: syntax first, semantics next
A core distinction in the reporting is that syntactic problems — where the server cannot parse the request body or request-target — are the clearest form of "illegal" input and map to Bad Request semantics (traditionally 400) because the request is malformed and cannot be understood [1] [4]. By contrast, a request that is syntactically well-formed but contains values that violate validation rules or are nonsensical is better described as semantically invalid — for which RFC-derived guidance suggests 422 Unprocessable Entity when the entity is well-formed but semantically erroneous [1] [3].
2. Business rules, conflicts and the case for 409 or 400 depending on context
When a parameter is syntactically correct but breaches a business rule — for example, a username that’s already taken — guidance in community discussion and RFC reasoning recommends 409 Conflict or a 4xx that communicates the specific kind of failure, because the request is not malformed but cannot be completed in the server’s current state [1] [2]. That said, RFC evolution (from 2616 to 7231) and pragmatic practice mean many implementers still use 400 for a wide range of client errors for familiarity and interoperability, making strict adherence to “422 only for semantics” an opinion rather than a universal rule [2].
3. Practical parameters for deciding the response code in implementation
Operationally, the parameters that should guide the decision are: whether the server could parse the request (syntax → 400), whether the parsed entity violates schema/validation/business rules (semantic → 422 often preferable), whether the request collides with server state (resource conflict → 409), and whether the server refuses for authorization/forbidden reasons (401/403) rather than input quality [1] [5]. Many engineers choose simpler rulesets — translate thrown IllegalArgumentException-style errors into 400 responses for developer convenience — but those mappings are implementation choices, not ironclad protocol mandates [6] [7].
4. Why ambiguity persists: RFCs, WebDAV extensions and de-facto standards
Ambiguity endures because 422 originates from WebDAV (RFC 4918) and is more specific for semantic failures, while core HTTP definitions and later RFCs broaden the interpretation of 400, creating overlap; as a result, large public APIs and communities have settled on different conventions and sometimes prefer the well-known 400 for general client-side errors to avoid surprising integrators [3] [2]. Community threads and Stack Overflow answers capture this split: some argue for strict semantic mapping, others for pragmatic consistency with existing ecosystems [1] [8].
5. Recommended policy and implementation checklist
A defensible, balanced policy is: treat unparseable requests as 400 and include a diagnostic body; treat syntactically valid but rule-violating payloads as 422 with a machine-readable error list explaining each field; use 409 for state conflicts like duplicates; and prefer explicit error bodies so clients can remediate — while documenting chosen conventions clearly because interoperability relies as much on predictable behavior as on strict RFC orthodoxy [1] [2] [5]. If documentation or client expectations favor a single code, favor the common 400 but provide structured error info; if seeking precision and future-proofing, adopt 422 and 409 where semantically appropriate and document reasons to reduce confusion [3] [2].