Your question is good, but yet I believe it is based on opinions. The choice of the appropriate code should be made on the basis of the RFC in force. However, like any other standard, RFC is not always clear, and it is possible to interpret it in various ways.
Follow my considerations on the answers already given and my opinion.
1. Where and where should I look for sources for questions like this?
First, the RFC that concerns this and is currently in vogue is the 7231. If you are familiar with English, I suggest you read it to create your own opinions as well.
2. About not using code 200
Although in some web frameworks return 200 in the case of requests with invalid data, I do not believe that this should be the appropriate code.
According to item 6.3 of 7231, codes 2xx indicate that the client’s request has been received, understood and accepted.
So, if the purpose of a POST request is, for example, to create a new object on the server and this is not done based on invalid data, I do not consider that code 200 should be returned saying that the request was a success, but a code indicating that an error occurred in the processing of the data sent.
3. About using code 400
If we think that the data sent is also part of the request, if they are invalid and therefore wrong, nothing fairer than to return a code 400, which indicates a bad request.
Definition of the POST method
Looking at the definition of the POST method in RFC strengthens this idea. According to item 4.3.3, a POST request is asking for a particular resource (or Resource) process the data present in the request according to the resource semantics. Therefore, if you submit data that has no meaning for the server, the request will not be understood and should not be processed.
Definition of Class 4xx and Code 400
Another argument to strengthen the use of code 400 is the definition of class 4xx and its own definition:
Class 4xx has codes for when the client makes a mistake. If you understand that the client is responsible for sending valid data (and that the server validation is done by security measure) 4xx seems to be the appropriate class. It is important to note that class 4xx, according to RFC, should always return an explanation of the error to the client.
400 code, in turn, indicates that the server cannot, is not able to, or simply will not process the request due to client error (the error of sending data that has no meaning according to the requested resource).
It is important to remember that RFC does not list errors that a client can make, listing only a few examples (syntax error is one of them).
4. Logo...
In conclusion, the client is responsible for sending data that makes sense to the server, and if it does not, this should be considered a client error. So I suggest that use code 400 and, as provided in RFC, send a message explaining the error, saying that the data is not valid.
Bonus: Methods that you should definitely not use
418: is not a code in the current RFC and has no semantic value for data validation.
405: should be used only when the method the request is not accepted by the server and not the data itself.
This is a good question, but I believe it is based on opinions due to the fact that Rfcs are not clear at this point, and it is possible to have several interpretations, and therefore opinions about what is the appropriate code.
– ppalacios
Pablo is right, but I think there might be a specific answer based on general consensus.
– Daniel Omine