Network & Web
HTTP Status Code Reference
Searchable reference for all HTTP status codes — 1xx, 2xx, 3xx, 4xx and 5xx with descriptions.
What are HTTP status codes and how do they work?
Every HTTP response begins with a three-digit status code that tells the client precisely what happened to its request. When your browser fetches a webpage, loads an image, or submits a form, the server responds with a status code before any content. Status codes are part of the HTTP protocol defined in RFC 9110 (HTTP Semantics, 2022), which superseded RFC 7231.
The request-response cycle works as follows: your browser sends an HTTP request with a method (GET, POST, PUT, DELETE, etc.), a target URL, headers, and optionally a body. The server processes the request and responds with a status line containing the HTTP version, status code, and reason phrase — for example, HTTP/1.1 200 OK. This is followed by response headers and optionally a body.
The first digit of the status code categorizes the response into one of five classes. Understanding these classes is the foundation of working effectively with web APIs, debugging network issues, and building correct server behavior.
Complete breakdown of each category
1xx responses are provisional — the server has received part of the request and the client should continue. These are rarely seen by developers in everyday work. The most important is 101 Switching Protocols, returned when upgrading an HTTP connection to WebSocket. 103 Early Hints is a newer addition that allows CDNs and servers to push Link headers for resource preloading before the main response is ready, improving page load performance.
2xx responses indicate the request was received, understood, and accepted. 200 OK is the default success response. 201 Created is the correct response when a POST request creates a new resource — it should include a Location header pointing to the new resource's URL. 204 No Content is correct for DELETE requests and silent updates where no body is needed. 206 Partial Content powers video streaming and resumable downloads via the Range request header.
3xx responses tell the client to look elsewhere for the requested resource. The Location header specifies the new URL. 301 and 308 are permanent redirects — search engines transfer PageRank to the new URL. 302 and 307 are temporary. The critical difference between 301/302 and 308/307 is method preservation: 307 and 308 guarantee that the HTTP method (POST, PUT, etc.) is preserved across the redirect, while 301 and 302 historically caused browsers to downgrade POST to GET.
4xx responses indicate the client made an error. The server understood the request but cannot fulfill it as sent. 400 is the general "bad request" catch-all. 401 triggers authentication (the WWW-Authenticate header specifies the scheme). 403 denies access even to authenticated users. 404 is the most famous: resource not found. 409 indicates a conflict, such as trying to create a duplicate unique record. 422 is increasingly favored for validation errors in REST APIs. 429 indicates rate limiting.
5xx responses indicate the server encountered an error while processing an otherwise valid request. 500 is the generic server error — it should never be returned for client input errors. 502 and 504 indicate proxy/gateway issues — common when your load balancer cannot reach the origin server. 503 with a Retry-After header is the correct way to handle planned maintenance. 507 Insufficient Storage is specific to WebDAV when the server runs out of disk space.
Most important codes every developer must know
200 OKThe universal success response. Always check that you're not accidentally returning 200 for errors.201 CreatedReturn this (not 200) when a POST creates a new resource. Include Location header with the new resource's URL.204 No ContentFor DELETE and silent PUT. Must not include a response body — client code that reads the body will get nothing.301 Moved PermanentlyPermanent redirect with SEO transfer. Use for domain migration, HTTP→HTTPS, and canonical URL changes.304 Not ModifiedCaching workhorse. Server says "your cached copy is still valid — use it". Saves bandwidth for static assets.400 Bad RequestMalformed request syntax. Return with a detailed error body explaining what's wrong.401 UnauthorizedMissing or invalid authentication. Include WWW-Authenticate header. Do not confuse with 403.403 ForbiddenAuthenticated but not authorized. Don't return 404 to hide resource existence — use 403 explicitly.404 Not FoundResource doesn't exist. Return for invalid IDs, deleted resources, and unknown routes.422 UnprocessableValidation failure. The request parsed correctly but failed business rules. Return with field-level error details.429 Too Many RequestsRate limit hit. Include Retry-After header. Clients should implement exponential backoff.500 Internal Server ErrorUnhandled exception in server code. Log the full error internally — return a generic message to clients.503 Service UnavailableServer temporarily down. Include Retry-After header. Use for maintenance windows and overload conditions.How to choose the right status code for your API
A decision tree for REST API responses:
- 1Did the request succeed?
If yes, use 2xx. If the resource was created, use 201. If nothing is returned, use 204. Otherwise, use 200.
- 2Did the client make an error?
Use 4xx. If the request body is malformed JSON, use 400. If auth is missing, use 401. If the user lacks permission, use 403. If the resource doesn't exist, use 404. If validation failed, use 422.
- 3Did the server make an error?
Use 5xx. For unhandled exceptions, use 500. For maintenance windows, use 503 with Retry-After. For proxy failures, use 502 or 504.
- 4Include a structured error body
Always return a JSON error body with 4xx and 5xx responses. Include: error code, human-readable message, and for 422, field-level validation errors. Never return an empty body for errors.
- 5Set appropriate headers
Content-Type: application/json for JSON bodies. Location for 201 and 3xx. Retry-After for 429 and 503. WWW-Authenticate for 401. Allow for 405.
Common mistakes and anti-patterns
Returning HTTP 200 with {"error": "not found"} in the body breaks HTTP semantics, fools monitoring systems, and forces every client to parse the body before knowing success. Use proper 4xx and 5xx codes.
Client input errors are never the server's fault. Returning 500 for a missing required field is incorrect. Use 400 for malformed requests and 422 for validation failures.
An empty list is a valid successful response — return 200 with an empty array, not 404. Reserve 404 for when the resource itself (e.g. the endpoint or a specific ID) does not exist.
Returning 403 tells an attacker the resource exists but they can't access it. For sensitive resources, return 404 to hide existence. This is a deliberate security tradeoff — choose based on your threat model.
Permanent redirects on API endpoints can break clients that don't follow redirects. Prefer updating documentation and making the old endpoint respond with the correct data for a deprecation period.
How browsers handle different redirects — 301 vs 302 vs 307 vs 308
The four redirect codes differ along two dimensions: permanence and method preservation.
| Code | Permanent? | Method preserved? | Best use case |
|---|---|---|---|
| 301 | Yes — cache forever | No (POST → GET) | SEO-safe URL changes, HTTP → HTTPS, domain migration |
| 302 | No — temporary | No (POST → GET) | Temporary redirects, OAuth flows, maintenance pages |
| 307 | No — temporary | Yes (POST → POST) | Temporary redirects that must preserve HTTP method |
| 308 | Yes — cache forever | Yes (POST → POST) | Permanent API endpoint moves where clients use POST/PUT |
Search engines treat 301 and 308 as signals to transfer PageRank from the old URL to the new one. Use them for permanent changes. For temporary maintenance pages, 302 or 307 ensures search engines keep the original URL indexed.
HTTP status codes in REST API design
Well-designed REST APIs use status codes semantically — the code alone tells the client what happened, before it reads the body. Here are the standard patterns for common REST operations:
GET /resourcesGET /resources/:idPOST /resourcesPUT /resources/:idPATCH /resources/:idDELETE /resources/:idFAQ
Common questions
What are HTTP status codes?
HTTP status codes are three-digit numbers returned by a web server in response to a client's request. The first digit indicates the response category: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error). They are defined in RFC 9110 (HTTP Semantics).
What is the difference between 301 and 302?
301 Moved Permanently tells clients the resource has moved to a new URL forever — browsers and search engines update their caches, and future requests go directly to the new URL. 302 Found is a temporary redirect; browsers redirect the user but keep the original URL in cache. Use 301 for SEO-safe permanent redirects, 302 for temporary ones (e.g. during maintenance).
What is the difference between 401 and 403?
401 Unauthorized means the client must authenticate — the request lacks valid credentials or the provided credentials are wrong. 403 Forbidden means the server understood the request and the client may be authenticated, but does not have permission to access the resource. In practice: 401 = "you need to log in", 403 = "you're logged in but not allowed".
When should I return 400 vs 422?
400 Bad Request is appropriate when the request itself is malformed — wrong content type, missing required header, unparseable body. 422 Unprocessable Content (formerly Unprocessable Entity) is for well-formed requests that fail validation — correct JSON but a required field is missing or a value fails a business rule. REST APIs increasingly use 422 for validation errors with a structured error body.
What does 204 No Content mean?
204 No Content means the request succeeded but there is no response body to return. It is used for DELETE operations (resource deleted, nothing to return), PUT or PATCH operations when the update was applied silently, and OPTIONS requests in CORS preflight. Unlike 200, a 204 response must not include a message body.
What is a 429 error?
429 Too Many Requests indicates rate limiting — the client has exceeded the allowed number of requests in a given time window. APIs typically return a Retry-After header indicating how many seconds to wait before retrying. Proper clients implement exponential backoff when receiving 429 responses.
What is the 418 I'm a Teapot status?
418 I'm a Teapot was defined as an April Fools' joke in RFC 2324 (Hyper Text Coffee Pot Control Protocol, 1998). Despite being a joke, it was preserved in later HTTP RFCs to avoid breaking existing implementations. Some developers return 418 for endpoints that intentionally refuse a request for humorous reasons. It has no practical HTTP protocol meaning.
What is the difference between 502 and 503?
502 Bad Gateway means the server acting as a proxy or gateway received an invalid response from an upstream server — the origin server is down, crashed, or returned garbage. 503 Service Unavailable means the server is temporarily unable to handle requests — typically due to maintenance or overload. 503 usually includes a Retry-After header; 502 does not.
Should I return 200 with an error body or use an error status code?
Always use a proper error status code. Returning 200 OK with {"error": "not found"} in the body is an anti-pattern called "200 with error body" or "error masking". It breaks HTTP semantics, makes logs useless, confuses monitoring systems, and forces every client to parse the body before knowing if the request succeeded. Use 4xx for client errors and 5xx for server errors.
More in Network & Web