What Are HTTP Status Codes?
HTTP status codes are 3-digit numeric responses that a server returns to indicate the result of a client's request. When your browser loads a page, the server replies with a status code before sending any content. Understanding these codes is essential for web developers, API designers, and anyone debugging network issues.
Status codes are grouped into five classes based on their first digit:
| Class | Range | Meaning |
|---|---|---|
| 1xx | 100-199 | Informational - request received, continuing process |
| 2xx | 200-299 | Success - request was received, understood, and accepted |
| 3xx | 300-399 | Redirection - further action needed to complete request |
| 4xx | 400-499 | Client Error - request contains bad syntax or cannot be fulfilled |
| 5xx | 500-599 | Server Error - server failed to fulfill a valid request |
The Most Important Status Codes
200 OK
The most common success response. The request succeeded and the response body contains the requested resource. A GET request for a webpage returns 200 with the HTML content.
201 Created
The request succeeded and a new resource was created. Returned after a successful POST that creates a database record. The response should include a Location header pointing to the new resource.
204 No Content
The request succeeded but there is no content to return. Common for DELETE operations or PUT updates where no response body is needed.
301 Moved Permanently
The resource has permanently moved to a new URL. Browsers and search engines update their cached URL. Used for domain migrations and URL restructuring.
302 Found (Temporary Redirect)
The resource temporarily lives at a different URL. The browser follows the redirect but remembers the original URL for future requests. Browsers typically change POST to GET after following a 302.
304 Not Modified
The client's cached version is still valid. Used with conditional requests (If-Modified-Since, If-None-Match). The server confirms the resource hasn't changed, saving bandwidth.
400 Bad Request
The server cannot process the request due to client error. The request contains malformed syntax, invalid parameters, or missing required fields.
401 Unauthorized
Authentication is required but was not provided or failed. The response includes a WWW-Authenticate header indicating the authentication scheme. Despite the name, it means "unauthenticated."
403 Forbidden
The server understood the request but refuses to authorize it. The client is authenticated but lacks permission. Unlike 401, re-authenticating won't help.
404 Not Found
The server cannot find the requested resource. The URL may be wrong, the resource may have been deleted, or access may be restricted to prevent information disclosure.
405 Method Not Allowed
The HTTP method (GET, POST, PUT, etc.) is not supported for this endpoint. The response includes an Allow header listing the supported methods.
408 Request Timeout
The server timed out waiting for the request. The client can repeat the request.
409 Conflict
The request conflicts with the current state of the server. Common when trying to create a duplicate resource or update a resource that has been modified concurrently.
410 Gone
The resource is permanently gone and no forwarding address is available. Unlike 404, the server explicitly indicates the resource existed but has been removed.
422 Unprocessable Entity
The request was well-formed but contained semantic errors. Common in REST APIs when JSON is valid but fails business rule validation.
429 Too Many Requests
Rate limiting is in effect. The response typically includes a Retry-After header. Used to prevent API abuse and DDoS attacks.
500 Internal Server Error
A generic error indicating the server encountered an unexpected condition. The catchall for unhandled server exceptions.
502 Bad Gateway
The server was acting as a gateway and received an invalid response from an upstream server. Common when a load balancer cannot reach the application server.
503 Service Unavailable
The server is temporarily unable to handle the request due to overload or maintenance. The response may include a Retry-After header.
504 Gateway Timeout
The server was acting as a gateway and did not receive a timely response from an upstream server.
Status Codes in REST API Design
Well-designed REST APIs use status codes meaningfully:
GET /users/123 -> 200 (found) or 404 (not found)
POST /users -> 201 (created) or 400 (invalid input) or 409 (duplicate)
PUT /users/123 -> 200 (updated) or 404 (not found) or 422 (validation failed)
DELETE /users/123 -> 204 (deleted) or 404 (not found)
GET /protected -> 401 (not authenticated) or 403 (not authorized)
Debugging Tips
When debugging HTTP issues, check:
- The status code class (4xx = your problem, 5xx = their problem)
- The response body for error details (APIs usually include error messages)
- Response headers (Location for redirects, WWW-Authenticate for auth, Retry-After for rate limits)
- Network timing (slow 200s may indicate performance issues)
-> Try the HTTP Status Codes Reference