Our site includes the ability for users to email a link to any email address they want. We're implementing flood control to stop malicious users from sending more than a few emails a day.
I'm trying to determine the best status code to return when flood control is tripped. The closest thing I could find is 429, "Too Many Requests." Would that be appropriate for this situation, or is there something better?
The status code 429 is the most appropriate for rate limiting.
429 Too Many Requests (RFC 6585) The user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes.