The issue I have with 400 Bad Request is that it's very broad. The request might actually be fine, but the data posted is not. Now you could argue that it doesn't matter why the request is bad, formatting, protocol or data, 400 for everything. It just feels a lot like throwing a generic Exception and attempting to convey the details in the message body.