Which http status is most appropriate to reject a (PUT) request where the id in the route does not match the id in the resource that is included in the request body?
Example:
[HttpPut("/api/todos/{id}")]
public IActionResult Update(int id, TodoItem item) {
if (item.id != id) {
throw new HttpException(4??);
}
The 409 status code seems to be a reasonable choice: It's used to indicate that the request conflicts with the current state of the resource on the server. The mismatch between the identifier in the URL and in the payload is by all means a conflict.
The response should include all necessary information for the client to recognize the source of the conflict and then be able to resubmit the request. For reporting problems in a Web API, I advise you to check the RFC 7807.
See how the 409 status code is defined in the RFC 7231:
The
409(Conflict) status code indicates that the request could not be completed due to a conflict with the current state of the target resource. This code is used in situations where the user might be able to resolve the conflict and resubmit the request. The server SHOULD generate a payload that includes enough information for a user to recognize the source of the conflict. [...]