Getting Started with HTTP Status Codes
HTTP status codes are 3-digit codes that indicate the status of an HTTP request. They are included in the response from a web server and help the client understand how their request was handled.
Some common examples of HTTP Response Status Codes include:
- 200 OK: The request succeeded, and the server sent back a response. This is the most common success code.
- 301 Moved Permanently: The resource requested has been permanently moved to a new URL. The client should use the new URL going forward.
- 400 Bad Request: The client’s request was malformed or invalid. Syntax errors are common causes.
- 401 Unauthorized: The client tried to access a protected resource without providing authentication credentials. They will need to provide credentials to access it.
- 403 Forbidden: The client is authenticated but does not have permission to access the requested resource.
- 404 Not Found: The server cannot find the requested resource. This indicates that the URL does not exist on the server.
- 500 Internal Server Error: A generic server error occurred. This indicates a problem on the server side, not with the client’s request.
Main Classes of HTTP Response Status Codes
- 1xx Informational
- 2xx Success
- 3xx Redirection
- 4xx Client Error
- 5xx Server Error
Key Takeaways
- HTTP status codes are 3-digit codes that give information about the result of an HTTP request.
- Codes are grouped into five classes: 1xx informational, 2xx success, 3xx redirection, 4xx client error, and 5xx server error.
- Standard codes include 200 OK, 301 Moved Permanently, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 500 Internal Server Error.
- Status codes help clients understand how the server handles their requests.
- Knowing common status codes assists with debugging web apps and APIs.
All HTTP Response Status Codes
Below is a complete list of all HTTP status codes and their descriptions:
1xx Informational
- 100 Continue: Indicates the initial part of a request has been received, and the client should continue sending the remainder.
- 101 Switching Protocols: The server is switching protocols in an upgrade header, such as upgrading from HTTP to WebSockets. The client should use the new protocol in the future.
- 102 Processing (WebDAV): Indicates the server has received and is processing the request, but no response is available yet.
- 103 Early Hints: Used to return some response headers before the complete response. This allows the client to start preloading resources while the server is still preparing the full response.
2xx Success
- 200 OK: The request succeeded, and the server sent back a response. This is the standard response for successful requests.
- 201 Created: The request succeeded, and a new resource was created as a result. This is typically the response sent after a PUT request.
- 202 Accepted: The request has been accepted for processing, but the processing still needs to be completed. The request may or may not eventually be acted upon.
- 203 Non-Authoritative Information: The returned metadata in the response is from a local or third-party copy, not from the original server. This is used for mirroring or caching situations.
- 204 No Content: The server successfully processed the request, but there is no content to return in the response payload body.
- 205 Reset Content: This tells the client to reset the document view so that the next page load will be a complete refresh. Used when a previous response sent down content, such as JavaScript, that needs to be cleared.
- 206 Partial Content: Indicates a partial response, typically used in response to a byte range request. The response headers will indicate the byte range included in the response.
- 207 Multi-Status (WebDAV): Used in response to an HTTP bulk request to indicate multiple status codes for different parts of the request.
- 208 Already Reported (WebDAV): Used inside a dav:propstat response element to avoid sending duplicate error messages.
- 226 IM Used (HTTP Delta encoding): The server has fulfilled a GET request, and the response is a representation of the result of one or more instance manipulations on the current instance.
3xx Redirection
- 300 Multiple Choices: Provides a list of alternate resources for the request, such as human languages for translation when the client requests a negotiation.
- 301 Moved Permanently: The requested page has been permanently moved to a new URL. The client should use the new URL for future requests.
- 302 Found: Indicates the resource was temporarily moved or relocated to a new URL. Clients should continue to use the original URL for future requests.
- 303 See Other: Returns a reference to a different URI. Clients should use the new URI in the future. Similar to 301, but the original URI should still be considered valid.
- 304 Not Modified: Indicates the resource has yet to be modified since the specified date. Used to reduce network traffic when caching resources.
- 305 Use Proxy: Specifies the requested resource must be accessed through a proxy at the specified URL.
- 306 Switch Proxy: No longer used. Originally meant to specify a subsequent request, it should use the specified proxy.
- 307 Temporary Redirect: Temporarily redirects the request to a different URL. Similar usage to 302, except requests should not change to the new URL.
- 308 Permanent Redirect: Permanently redirects the request to a different URL. Similar usage to 301, except requests should not change to the new URL.
4xx Client Error
- 400 Bad Request: The server cannot process the request due to malformed syntax or invalid request message framing.
- 401 Unauthorized: Indicates the request requires user authentication. The client may repeat the request with the proper authorization credentials.
- 402 Payment Required: Reserved for future use indicates the client must make a payment to access the requested resource.
- 403 Forbidden: The client does not have permission to access this resource, even with authentication. Authorization will not help, and the request should not be repeated.
- 404 Not Found: The server cannot find the requested resource. This indicates the URL does not map to anything on the server.
- 405 Method Not Allowed: The HTTP method in the request is known by the server but has been disabled or is not allowed for the requested resource.
- 406 Not Acceptable: The resource can only generate responses that the client does not accept according to the Accept headers sent in the request.
- 407 Proxy Authentication Required: Similar to 401, it indicates the client must authenticate with a proxy server before the proxy will forward the request.
- 408 Request Timeout: Indicates the server timed out waiting for a request from the client after a certain period. The client can choose to repeat the request at a later time.
- 409 Conflict: Indicates a conflict or invalid state, meaning the request could not be completed. Usually returned in response to a PUT or other non-idempotent request.
- 410 Gone: Indicates the requested resource is no longer available at the requested URL, and no forwarding address is known. The client should not attempt to resubmit the request.
- 411 Length Required: The server refuses to accept the request without a defined Content-Length header.
- 412 Precondition Failed: The client specified one or more preconditions in the headers, which the server does not meet.
- 413 Payload Too Large: The request payload size exceeds the server’s limit.
- 414 URI Too Long: The requested URL exceeds the server’s limit for length.
- 415 Unsupported Media Type: The media format of the submitted data is not supported by the requested resource.
- 416 Range Not Satisfiable: The requested byte range is invalid or unsatisfiable. The headers may contain the satisfiable ranges.
- 417 Expectation Failed: The expectation given in the Expect header could not be fulfilled by the server.
- 418 I’m a teapot (HTTP Tea): Any attempt to brew coffee with a teapot should result in this error code.
- 421 Misdirected Request: The request was directed at a server that cannot produce a response. This can be sent by a server that is not configured to produce responses for the combination of scheme and authority in the request URI.
- 422 Unprocessable Entity (WebDAV): The request was formatted correctly but cannot be processed in its current form. It is often used when the specified parameters fail validation errors.
- 423 Locked (WebDAV): The resource being accessed is locked.
- 424 Failed Dependency (WebDAV): The request failed due to a failure of a previous request.
- 425 Too Early: Indicates the server is unwilling to perform the request, such as a request to renew an expiring resource, because it is too early from a security perspective.
- 426 Upgrade Required: The server refuses to perform the request using the current protocol but may respond if upgraded to a different protocol. Sent by a server to promote HTTP/2 over HTTP/1.1.
- 428 Precondition Required: The server requires a conditional header like If-Match or If-Unmodified-Since to be present to ensure the correct client is making the request. This protects against unauthorized uploads or updates and helps prevent duplicate simultaneous updates.
- 429 Too Many Requests: The user has sent too many requests in a given amount of time. It is intended to avoid denial-of-service attacks.
- 431 Request Header Fields Too Large: The server refuses to process the request because the header fields are too large. The request may be resubmitted with smaller headers.
- 451 Unavailable for Legal Reasons: The server cannot provide access to the resource because of legal restrictions imposed on it.
5xx Server Error
- 500 Internal Server Error: A generic error message indicating an unexpected server error.
- 501 Not Implemented: The server still needs to support the requested functionality.
- 502 Bad Gateway: The server received an invalid response from an upstream server it accessed to serve the request.
- 503 Service Unavailable: The server is currently unable to handle the request, usually due to high load or maintenance.
- 504 Gateway Timeout: The upstream server that was accessed to serve the request failed to respond in time.
- 505 HTTP Version Not Supported: The server does not support the HTTP protocol version used in the request.
- 506 Variant Also Negotiates: The server has an internal configuration error, causing the request to be internally forwarded to a different server, causing a negotiation loop.
- 507 Insufficient Storage: The server cannot store the representation needed to complete the request.
- 508 Loop Detected (WebDAV): The server detected an infinite loop in the request.
- 510 Not Extended: Further extensions to the request are required for the server to fulfill it.
- 511 Network Authentication Required: The client needs to authenticate the network first. Intended for use by intercepting proxies.
FAQs on HTTP Response Status Codes
What is the most common HTTP status code?
The most common HTTP status code is 200 OK, which indicates the request succeeded, and the server has returned a response.
What status code means the page was not found?
404 Not Found is returned when the server cannot find the requested resource. This indicates the URL does not exist on the server.
What code means the user is not authorized?
401 Unauthorized indicates the client is not authenticated and does not have permission to access the requested resource. The request should include proper authentication credentials.
What does a 500 error indicate?
500 Internal Server Error indicates a generic server error occurred. This means there was an unexpected error or problem on the server side, not that the client’s request was malformed.
What code means the resource has moved to a new URL?
301 Moved Permanently indicates the requested resource has been permanently moved to a new URL. The client should use this new URL for future requests instead.
What does a 400-status mean?
400 Bad Request signifies a problem with the request syntax, such as malformed headers or invalid formatting. The client should fix the request before trying again.
What code means the response needs to be cached?
304 Not Modified indicates the client can use its cached copy of the resource, which has remained the same since the specified date.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.