> From my reading, this "hand out a 2xx and an error message" advice is for badly behaved clients who are retrying when they get 4xx.

But trying to handle clients who mishandle things like that is a fools errand. What client, in their right mind, would try to retry a request that is failing because of what the client is sending? In no case does that make sense, ever.

Similarly, should everything just be 200 then just in case clients mishandle redirect requests?

A lot of developers are idiots. There is tons of code out there doing exactly this kind of thing.

People will copy random snippets from SO and smack them with a hammer until they seem to work then move on to the next thing. I've seen some incredibly stupid code out there, code I can only assume the author either didn't understand or truly didn't give a fuck about. Probably both.

> A lot of developers are idiots. There is tons of code out there doing exactly this kind of thing.

Sure, I agree a lot with this, but that doesn't mean you and me should also do idiotic things. Lets just return correct status codes and the ones who misuse it, will misuse it :)

I like the detail from the top comment of replying w a 429 after a many second delay. That would mitigate any retry storm.

Which is slightly strange because it contradicts the previous suggestion: don't be too liberal of what you accept.