Web · Reference
HTTP Status Codes: The Complete Reference
Every standardised HTTP status code, what it means, and when servers should use it. Codes are grouped by class (1xx informational, 2xx success, 3xx redirection, 4xx client error, 5xx server error). The list reflects the IANA HTTP Status Code Registry as of June 2026.
The five classes at a glance
- 1xx — Informational. Provisional, rarely seen by application code.
- 2xx — Success. The request was received and acted on.
- 3xx — Redirection. Further action needed (usually follow a Location header).
- 4xx — Client error. The request is wrong; fixing the client will help.
- 5xx — Server error. The request was fine; the server failed.
1xx — Informational
| Code | Name | Meaning | When to use it |
|---|---|---|---|
| 100 | Continue | Server received headers, client should send the body. | Used with Expect: 100-continue before uploading a large request body. |
| 101 | Switching Protocols | Server agrees to switch protocol (e.g. to WebSocket). | Returned during a WebSocket or HTTP/2 upgrade handshake. |
| 103 | Early Hints | Preliminary headers (typically Link) so the browser can preload. | Sent before the final response to start asset preloads in parallel. |
2xx — Success
| Code | Name | Meaning | When to use it |
|---|---|---|---|
| 200 | OK | Standard success. | Most successful GET responses. |
| 201 | Created | Resource was created; Location header points to it. | POST that creates a new entity. |
| 202 | Accepted | Request accepted for processing but not yet completed. | Async jobs, queued background work. |
| 204 | No Content | Success, no body to return. | PUT/DELETE that has nothing to send back; preflight responses. |
| 206 | Partial Content | Range request honoured. | Video seeking, resumable downloads (Range: bytes=). |
3xx — Redirection
| Code | Name | Meaning | When to use it |
|---|---|---|---|
| 301 | Moved Permanently | Resource permanently at the new Location. | HTTPS redirects, domain migrations, removing trailing slashes. |
| 302 | Found | Temporary redirect, method may change. | Legacy login flows; avoid for new APIs — use 307/308. |
| 303 | See Other | Redirect with forced GET on the next request. | POST-redirect-GET pattern after a form submission. |
| 304 | Not Modified | Cached response is still valid. | Conditional GET (If-None-Match, If-Modified-Since). |
| 307 | Temporary Redirect | Temporary, method preserved. | Like 302 but the method is guaranteed to stay the same. |
| 308 | Permanent Redirect | Permanent, method preserved. | Like 301 but POST stays POST. |
4xx — Client error
| Code | Name | Meaning | When to use it |
|---|---|---|---|
| 400 | Bad Request | Malformed request the server can't parse. | Invalid JSON, missing required parameters, schema validation failure. |
| 401 | Unauthorized | Authentication required or invalid credentials. | Missing/expired token. Includes WWW-Authenticate header. |
| 403 | Forbidden | Authenticated but not allowed. | User logged in but lacks permission for this resource. |
| 404 | Not Found | Resource does not exist. | Unknown URL, deleted record. Don't leak existence info via 403 vs 404. |
| 405 | Method Not Allowed | Method not supported on this URL. | POST to a read-only endpoint. Must return Allow header. |
| 406 | Not Acceptable | Server can't produce a format the client accepts. | Content negotiation failure (Accept header mismatch). |
| 408 | Request Timeout | Client took too long to send the request. | Slow uploads, idle keep-alive connections. |
| 409 | Conflict | Request conflicts with current state. | Optimistic concurrency failure, duplicate resource creation. |
| 410 | Gone | Resource permanently removed; no forwarding. | Deleted accounts, sunsetted APIs. Helps search engines deindex. |
| 411 | Length Required | Content-Length header missing. | Servers that refuse chunked uploads. |
| 413 | Payload Too Large | Request body exceeds limit. | Upload bigger than max_body_size. |
| 415 | Unsupported Media Type | Body's Content-Type is not accepted. | Sending XML to a JSON-only endpoint. |
| 418 | I'm a teapot | RFC 2324 joke; legitimately used to reject bot traffic. | Some sites return 418 instead of 403 to confuse scrapers. |
| 422 | Unprocessable Content | Syntax is valid but semantically wrong. | Validation errors after the body parsed correctly (Rails, FastAPI, Laravel). |
| 423 | Locked | Resource is locked. | WebDAV; some apps use it for tenant locks. |
| 425 | Too Early | Server unwilling to risk replaying request. | HTTP/3 0-RTT replay protection. |
| 428 | Precondition Required | Server requires conditional requests. | APIs that demand If-Match to prevent lost updates. |
| 429 | Too Many Requests | Rate limit hit. | Include Retry-After header. Standard for API throttling. |
| 451 | Unavailable For Legal Reasons | Blocked due to legal demand. | DMCA takedowns, GDPR geo-restrictions, court orders. |
5xx — Server error
| Code | Name | Meaning | When to use it |
|---|---|---|---|
| 500 | Internal Server Error | Generic server-side failure. | Unhandled exception. Log it, alert on it. |
| 501 | Not Implemented | Method not supported by the server at all. | Server doesn't recognise the HTTP method (different from 405). |
| 502 | Bad Gateway | Upstream server returned an invalid response. | Origin crashed or returned malformed data through a reverse proxy. |
| 503 | Service Unavailable | Server temporarily can't handle the request. | Maintenance windows, overload. Include Retry-After. |
| 504 | Gateway Timeout | Upstream didn't respond in time. | Origin too slow, network issue between proxy and origin. |
| 505 | HTTP Version Not Supported | Server doesn't support the request's HTTP version. | Rare — client speaking HTTP/0.9 to a modern server. |
| 507 | Insufficient Storage | Server out of disk for the operation. | Upload endpoints when the disk is full. |
| 511 | Network Authentication Required | Captive portal demanding login. | Hotel and airport WiFi gateways. |
Best-practice cheat sheet
- Authentication missing → 401; authentication present but insufficient → 403.
- Validation error after parsing → 422; malformed body that wouldn't parse → 400.
- Permanent redirect that must preserve method → 308; legacy/website canonical → 301.
- Rate limit hit → 429 with
Retry-After. - Origin down behind a proxy → 502; upstream slow → 504; planned maintenance → 503 with
Retry-After. - Deleted resource that should be deindexed → 410 beats 404.
Inspect them yourself
- HTTP Headers Tool — see the live status code, response headers, and redirects for any URL.
- SSL Checker — confirms 200s arrive over a valid TLS chain.
- Uptime Checker — schedules periodic status-code probes.
Frequently asked questions
What's the difference between 401 and 403?+
401 means 'I don't know who you are' — you need to authenticate. 403 means 'I know who you are, and you're not allowed'. Returning 403 for unauthenticated users leaks the existence of the resource; prefer 401 + WWW-Authenticate.
Should I use 301 or 308 for permanent redirects?+
Use 308 for APIs or anywhere the request method matters — 301 historically allowed clients to change POST to GET, while 308 guarantees the method is preserved. For plain HTTPS canonical redirects on a website, 301 is still universally supported and cached well.
When should an API return 204 vs 200?+
Return 204 when there is genuinely no body to send (a successful DELETE, a PUT that doesn't echo state). Return 200 with a body when the client benefits from the updated resource representation. Don't return 204 with a body — clients are allowed to drop it.
Is 422 just a fancy 400?+
Functionally similar, but the distinction is useful: 400 means 'I couldn't parse this' (malformed JSON, bad syntax), while 422 means 'I parsed it fine but the data doesn't make sense' (a negative age, a missing required field after parsing). Most modern frameworks (FastAPI, Laravel, Rails) return 422 for validation errors.
What status code should I use for rate limiting?+
429 Too Many Requests, with a Retry-After header (either seconds or an HTTP date). Some legacy services return 503; 429 is the modern, specific answer.
Why is 418 'I'm a teapot' in the spec?+
It started as an April Fools' joke in RFC 2324 (1998) for the Hyper Text Coffee Pot Control Protocol. It's been kept in the registry because too many sites and frameworks reference it, and several services use it as a polite way to reject obvious bot traffic.
Sources: RFC 9110 (HTTP Semantics), IANA HTTP Status Code Registry, RFC 6585 (Additional HTTP Status Codes).