Hello Ben I prefer your second approach - returning status 400 early - for the reasons you provided. In terms of backwards compatibility I can't imagine it would matter if status 500 or status 400 is returned.
Our logging is also configured to send an email when a request exception remains unhandled. However, so far we are lucky not to be targeted by bots. Cheers Volker
