HTTP Status Codes — Complete Reference
Every HTTP status code explained: what it means, when servers return it, common causes, and how to fix errors. Covers 1xx through 5xx with REST API best practices.
What Are HTTP Status Codes?
HTTP status codes are standardized three-digit integers returned by a web server as part of the HTTP response. Every request you make — from loading a web page to calling a REST API — receives a status code in the response headers. The code tells the client whether the request succeeded, failed, needs to be redirected, or requires some further action.
Defined in RFC 9110 (HTTP Semantics) and originally specified in RFC 2616, status codes are grouped by their first digit into five classes. Understanding these classes helps you quickly diagnose what went wrong and who is responsible — the client, the server, or the network.
Provisional, protocol continues
Request accepted and fulfilled
Client must follow redirect
Malformed or unauthorized request
Server failed on valid request
Most Common HTTP Status Codes
The codes developers encounter most often, with plain-English explanations.
Request succeeded.
Resource created.
Success, no body.
Permanent redirect.
Temporary redirect.
Cached version is current.
Malformed request syntax.
Authentication required.
Access denied.
Resource does not exist.
HTTP method not supported.
State conflict.
Resource permanently removed.
Validation failed.
Rate limited.
Server failed.
Upstream invalid response.
Server temporarily down.
Upstream timed out.
Informational Responses
Informational responses indicate the request was received and the process is continuing. These are provisional responses sent before the final response. Most modern applications rarely see 1xx responses — they appear during protocol upgrades (WebSocket handshakes) or large request body uploads.
Success Responses
Success responses indicate the action requested by the client was received, understood, and accepted. This is the most important category for API design. Choosing the right 2xx code — 200 vs 201 vs 204 — communicates intent clearly to clients and caching layers. 200 OK is generic success; 201 Created signals a new resource was made; 204 No Content signals success with no body to return.
| Code | Name | Meaning |
|---|---|---|
| 200 | OK | Standard success response. Body contains the result. |
| 201 | Created | Resource was created. Include Location header. |
| 202 | Accepted | Request queued for later processing. |
| 204 | No Content | Success but no body — common for DELETE/PATCH. |
| 206 | Partial Content | Range request fulfilled (streaming, downloads). |
| 207 | Multi-Status | Multiple statuses in one response (WebDAV). |
Redirection Responses
Redirection responses indicate the client must take additional action to complete the request. The key distinction: 301 and 308 are permanent (search engines update indexed URLs); 302 and 307 are temporary (search engines keep original URL). The difference between 302 and 307 — and between 301 and 308 — is whether the HTTP method can change. 307 and 308 preserve the method (a POST stays a POST), while 301 and 302 traditionally allow method changes to GET.
| Code | Name | Meaning |
|---|---|---|
| 301 | Moved Permanently | Permanent redirect — update links and pass SEO value. |
| 302 | Found | Temporary redirect — original URL stays in index. |
| 303 | See Other | Redirect to a different resource (usually after POST). |
| 304 | Not Modified | Cached response is still valid. No body returned. |
| 307 | Temporary Redirect | Temporary redirect preserving HTTP method. |
| 308 | Permanent Redirect | Permanent redirect preserving HTTP method. |
Client Error Responses
Client error responses indicate the request contains bad syntax or cannot be fulfilled. The error is on the client side. 400 means the request is malformed; 401 means unauthenticated (please log in); 403 means authenticated but forbidden (you don't have permission); 404 means the resource doesn't exist; 429 means rate limited. Understanding 401 vs 403 is a common source of confusion: 401 says 'I don't know who you are'; 403 says 'I know who you are but you're not allowed.'
| Code | Name | Meaning |
|---|---|---|
| 400 | Bad Request | Malformed syntax or invalid parameters. |
| 401 | Unauthorized | Authentication required. Send credentials. |
| 403 | Forbidden | Authenticated but not authorized. |
| 404 | Not Found | Resource doesn't exist at this URL. |
| 405 | Method Not Allowed | HTTP method not supported on this endpoint. |
| 408 | Request Timeout | Server timed out waiting for request. |
| 409 | Conflict | State conflict (e.g., duplicate resource). |
| 410 | Gone | Resource permanently deleted. Unlike 404, it's intentional. |
| 411 | Length Required | Content-Length header is required. |
| 412 | Precondition Failed | Conditional request failed. |
| 413 | Content Too Large | Request body exceeds server limit. |
| 414 | URI Too Long | URL is too long for the server to process. |
| 415 | Unsupported Media Type | Content-Type not accepted by server. |
| 422 | Unprocessable Content | Validation failed — check the request body. |
| 423 | Locked | Resource is locked (WebDAV). |
| 429 | Too Many Requests | Rate limited — wait before retrying. |
| 451 | Unavailable For Legal Reasons | Blocked by legal requirements. |
Server Error Responses
Server error responses indicate the server failed to fulfill a valid request. The error is on the server side. 500 is a generic catch-all for unexpected server errors; 502 means a gateway received an invalid response from an upstream server; 503 means the service is down or overwhelmed; 504 means a gateway timed out waiting for upstream. In production, 5xx errors should trigger immediate alerting — they impact all users and indicate infrastructure or code problems.
| Code | Name | Meaning |
|---|---|---|
| 500 | Internal Server Error | Unexpected server failure. Check logs. |
| 501 | Not Implemented | HTTP method not recognized by server. |
| 502 | Bad Gateway | Proxy/gateway got invalid upstream response. |
| 503 | Service Unavailable | Server overloaded or in maintenance. |
| 504 | Gateway Timeout | Proxy timed out waiting for upstream. |
| 505 | HTTP Version Not Supported | Server doesn't support the HTTP version used. |
| 507 | Insufficient Storage | Server can't store the request (WebDAV). |
| 508 | Loop Detected | Infinite loop detected (WebDAV). |
| 510 | Not Extended | Further extension required by server. |
| 511 | Network Authentication Required | Client must authenticate to access network. |
HTTP Status Code Best Practices for REST APIs
Use the right 2xx for each operation
200 OK— Successful GET, PUT, PATCH with a response body201 Created— Successful POST that created a resource; includeLocationheader204 No Content— Successful DELETE or PATCH with no body to return202 Accepted— Asynchronous operation queued; include a status polling URL
Distinguish client vs server errors
400— Invalid request format (malformed JSON, missing required field)401— No credentials / invalid token; client should re-authenticate403— Valid credentials but insufficient permissions404— Resource not found; also acceptable for privacy-sensitive 403s422— Request is well-formed but semantically invalid (validation errors)429— Rate limited; includeRetry-Afterheader
301 vs 302 — choosing the right redirect
Use 301 Moved Permanently when a URL has permanently changed — search engines transfer link equity and update their index. Use 302 Found for temporary redirects where you want to preserve the original URL in search indexes. For APIs, prefer 307 Temporary Redirect or 308 Permanent Redirect to preserve the HTTP method across redirects (so a POST doesn't become a GET).
Include helpful error bodies
Don't return just a status code. Include a structured error body so clients can programmatically handle errors. A minimal standard format:
{
"error": "validation_failed",
"message": "The 'email' field must be a valid email address.",
"field": "email",
"docs": "https://api.example.com/docs/errors#validation"
}Frequently Asked Questions
What is the difference between 401 and 403?
401 Unauthorized means the client is not authenticated — provide a valid token or credentials. 403 Forbidden means the client is authenticated but not authorized — you're logged in but don't have permission. A useful mental model: 401 = 'who are you?', 403 = 'I know who you are, but no.'
Is 404 bad for SEO?
A small number of 404s is normal and not inherently harmful. What matters is whether important pages return 404 — if a page that had external links or rankings disappears, redirect it with a 301 to a relevant page. Soft 404s (pages that return 200 but show 'not found' content) are worse than real 404s because they waste crawl budget.
What is the difference between 500, 502, and 503?
500 Internal Server Error means the server itself encountered an unexpected error — look in your application logs. 502 Bad Gateway means a proxy or load balancer received an invalid response from the upstream server — check your backend service. 503 Service Unavailable means the server is temporarily unable to handle requests — usually due to overload or maintenance. Add a Retry-After header to 503 responses.
When should I use 204 vs 200?
Return 204 No Content when the request was successful but there is nothing to include in the response body — common for DELETE operations, and PATCH/PUT when you don't need to return the updated resource. Return 200 OK with a body when the client needs to see the result of the operation (fetched data, confirmation details, etc.).
What does 304 Not Modified mean for caching?
304 Not Modified means the resource hasn't changed since the client's cached version (based on ETag or Last-Modified headers). The server sends no body — the client uses its cache. This reduces bandwidth and speeds up repeat page loads. To trigger it, send If-None-Match (with ETag value) or If-Modified-Since in your request headers.
Related Tools & References
Search and look up any HTTP status code interactively.
Build and test HTTP requests visually.
Generate curl commands for your API calls.
Inspect request and response headers.
Trace redirect chains and final destinations.
Compare headers between two URLs.