HTTP Status Codes: Complete Reference Guide
HTTP status codes are three-digit responses from a server indicating the result of a request.
HTTP Status Codes
Every HTTP response includes a status code, a three-digit number that tells the client whether the request succeeded, failed, or needs further action. Knowing what each code means makes debugging web applications significantly faster and helps you build APIs that communicate errors clearly and consistently.
How Status Codes Are Organised
HTTP status codes are grouped into five categories based on their first digit. The category tells you immediately whether the outcome was positive, negative, or something in between. The specific code within that category gives you the precise detail.
| Range | Category | Meaning |
|---|---|---|
| 1xx | Informational | The request was received and the process is continuing. These are rarely seen by developers directly. |
| 2xx | Success | The request was received, understood, and processed successfully. |
| 3xx | Redirection | The client must take a further action, usually following a redirect to a different URL. |
| 4xx | Client Error | The request contains an error that is the client's fault, such as invalid syntax, missing authentication, or a resource that does not exist. |
| 5xx | Server Error | The server failed to fulfil a valid request due to an error on its own side. |
Common 2xx Success Codes
A 2xx response means the request was successful. The specific code within this range communicates exactly what kind of success occurred, which matters for clients that need to handle responses differently based on whether a resource was retrieved, created, or deleted.
| Code | Name | When It Occurs |
|---|---|---|
| 200 | OK | The standard success response for GET, PUT, and PATCH requests. The response body contains the requested or updated resource. |
| 201 | Created | A new resource was created successfully, typically in response to a POST request. The response usually includes a Location header pointing to the new resource. |
| 202 | Accepted | The request was accepted for processing but the processing has not yet completed. Used for asynchronous operations such as background jobs. |
| 204 | No Content | The request succeeded but there is no body in the response. Commonly returned after a successful DELETE or a PATCH that requires no response data. |
Common 3xx Redirect Codes
A 3xx response tells the client that the resource it requested is available at a different URL. The new URL is provided in the Location response header. Browsers follow redirects automatically, but API clients may need to be configured to do so. The distinction between permanent and temporary redirects has significant implications for SEO and caching.
| Code | Name | What It Means |
|---|---|---|
| 301 | Moved Permanently | The resource has permanently moved to a new URL. Browsers and search engines update their records to use the new URL for all future requests. The original URL should no longer be used. |
| 302 | Found | A temporary redirect to a different URL. The original URL is still valid and should be used for future requests. Search engines keep the original URL in their index. |
| 304 | Not Modified | The cached copy of the resource is still valid. Returned in response to a conditional request when the content has not changed since the cached version was stored. No body is included, saving bandwidth. |
| 307 | Temporary Redirect | Like 302 but the client must repeat the request using the same HTTP method. A POST request redirected with 307 must remain a POST at the new URL. |
| 308 | Permanent Redirect | Like 301 but the client must repeat the request using the same HTTP method. A POST request redirected with 308 must remain a POST at the new URL permanently. |
Common 4xx Client Error Codes
A 4xx response means the request itself is the source of the problem. The server understood the request but cannot or will not process it because of something the client did or did not provide. Fixing a 4xx error requires changing the request, not restarting the server.
| Code | Name | What It Means |
|---|---|---|
| 400 | Bad Request | The request is malformed or contains invalid syntax. Common causes include missing required fields, invalid JSON, or parameters that fail basic validation. |
| 401 | Unauthorized | The request requires authentication and none was provided, or the provided credentials are invalid or expired. The client should prompt for login. |
| 403 | Forbidden | The client is authenticated but does not have permission to access the requested resource. Logging in again will not fix this. |
| 404 | Not Found | The resource does not exist at the requested URL. Common causes include deleted pages, incorrect URLs, and broken links. |
| 405 | Method Not Allowed | The HTTP method used is not supported for this endpoint. For example, sending a DELETE request to a read-only resource. |
| 408 | Request Timeout | The server timed out waiting for the client to send the complete request. The client may retry. |
| 409 | Conflict | The request conflicts with the current state of the server. Common in APIs when attempting to create a duplicate resource or update a record that has been modified by another request. |
| 410 | Gone | The resource existed previously but has been permanently deleted. Unlike 404, this explicitly signals the resource is gone and will not return. |
| 422 | Unprocessable Entity | The request syntax is valid but the data fails business logic validation. For example, an email field that contains an incorrectly formatted address. |
| 429 | Too Many Requests | The client has exceeded the rate limit. The response typically includes a Retry-After header indicating how long to wait before sending another request. |
Common 5xx Server Error Codes
A 5xx response means the server encountered a problem while processing what was otherwise a valid request. The client did nothing wrong. The fix requires action on the server side. These errors should be monitored closely in production because they represent failures in your own infrastructure.
| Code | Name | What It Means |
|---|---|---|
| 500 | Internal Server Error | A generic catch-all for unexpected server-side failures. Common causes include unhandled exceptions, failed database connections, missing configuration, or bugs in application code. |
| 501 | Not Implemented | The server does not support the HTTP method used in the request. Different from 405, which means the method is known but not allowed for this specific resource. |
| 502 | Bad Gateway | A server acting as a proxy or gateway received an invalid or unrecognisable response from an upstream server. Often seen when a load balancer cannot reach an application server. |
| 503 | Service Unavailable | The server is temporarily unable to handle requests, typically due to being overloaded or undergoing maintenance. Often accompanied by a Retry-After header. |
| 504 | Gateway Timeout | A server acting as a proxy did not receive a timely response from an upstream server. The upstream server was too slow or unresponsive. |
401 vs 403 and 301 vs 302
Two pairs of status codes are frequently confused with each other because their names and descriptions sound similar. Understanding the precise difference between them prevents incorrect implementations that mislead clients.
| Code | Scenario | Client Action |
|---|---|---|
| 401 Unauthorized | No valid credentials were provided or the credentials are expired. The server cannot identify who is making the request. | Prompt the user to log in or refresh the authentication token. |
| 403 Forbidden | Valid credentials were provided and the user is identified, but they do not have permission to access this resource. | Show an access denied message. Logging in again will not help. |
| 301 Moved Permanently | The resource has permanently moved to a new URL. Search engines update their index to the new URL and pass link equity to it. | Update bookmarks and links to use the new URL. The old URL should not be used again. |
| 302 Found | The resource is temporarily at a different URL but will return to the original. Search engines keep the original URL indexed. | Follow the redirect for this request but continue using the original URL for future requests. |
Frequently Asked Questions
- Why do I see 404 errors?
A 404 means the server could not find a resource at the URL that was requested. Common causes include pages that have been deleted, URLs with typos or case mismatches, broken links pointing to content that has moved without a redirect, and API endpoints that have changed path without backwards compatibility. If you are the site owner, audit your links regularly and set up 301 redirects for any URLs that have changed permanently. - What causes a 500 error?
A 500 Internal Server Error indicates an unhandled exception or unexpected condition in the server-side application code. Common causes include bugs that throw uncaught exceptions, failed database connections, missing environment variables or configuration, insufficient disk space, and memory exhaustion. Check your server logs immediately after a 500 error as they will usually contain the specific exception and stack trace needed to diagnose the problem. - What is the difference between 301 and 302 redirects?
A 301 redirect tells browsers and search engines that the resource has permanently moved to a new URL. Search engines update their index to use the new URL and transfer ranking signals to it. A 302 redirect tells clients the resource is temporarily at a different URL but the original URL remains valid and should be kept in the index. Use 301 for permanent URL changes such as a domain migration or restructured paths. Use 302 for temporary situations such as maintenance redirects or A/B testing. - What is the difference between 400 and 422?
Both indicate a problem with the data the client sent, but at different levels. A 400 Bad Request means the request itself is structurally invalid, such as malformed JSON that cannot be parsed, missing required headers, or a request body that cannot be read at all. A 422 Unprocessable Entity means the request was well-formed and parseable but the data failed validation rules, for example an email field that contains a string without an at sign, or an age field with a negative number. Use 422 for business logic validation failures and 400 for structural errors. - When should an API return 204 instead of 200?
Return 204 No Content when a request succeeds but there is genuinely nothing meaningful to include in the response body. The most common cases are successful DELETE operations, where the deleted resource no longer exists and returning it would be redundant, and PATCH or PUT operations where the client already knows what the updated resource looks like. Return 200 OK when the response body contains useful data the client needs, such as the updated record after a PUT or a confirmation message after a POST.
Conclusion
HTTP status codes are the language servers use to communicate the outcome of every request. A 2xx response confirms success. A 3xx response directs the client elsewhere. A 4xx response points to a problem in the request. A 5xx response indicates a failure on the server. Understanding the specific meaning of each code helps you debug APIs faster, build error handling that responds appropriately to each failure type, and configure redirects correctly for both users and search engines. Continue with HTTP requests and responses, HTTP methods, and REST APIs for a complete understanding of how HTTP communication works.