HTTP Status Codes: Complete Reference Guide

March 15, 2026 · 10 min read

What Are HTTP Status Codes?

HTTP status codes are three-digit numbers returned by a server in response to a client's request. They indicate whether the request was successful, redirected, or resulted in an error. Every time your browser loads a page, calls an API, or submits a form, the server responds with a status code.

Status codes are grouped into five categories based on their first digit:

1xx (Informational): Request received, processing continues
2xx (Success): Request received, understood, and accepted
3xx (Redirection): Further action needed to complete the request
4xx (Client Error): The request contains an error from the client side
5xx (Server Error): The server failed to fulfill a valid request

🛠️ Quick reference tool

HTTP Status Codes Lookup → SSL Certificate Checker →

1xx Informational

These codes indicate that the server has received the request and is continuing to process it:

100 Continue: The server received the request headers and the client should proceed to send the body. Used with large uploads — the client sends Expect: 100-continue to check if the server will accept the request before sending the full payload.
101 Switching Protocols: The server agrees to switch protocols. Most commonly seen when upgrading from HTTP to WebSocket (Upgrade: websocket).
103 Early Hints: Lets the server send preliminary headers before the final response, often used to start preloading resources like CSS and fonts.

2xx Success

These are the codes you want to see. They mean everything worked:

200 OK: The standard success response. The request succeeded and the response body contains the requested data. This is the most common status code on the web.
201 Created: A new resource was created successfully. Typically returned after a POST request. The response usually includes the created resource and a Location header pointing to it.
204 No Content: Request succeeded but there's no content to return. Common response for DELETE requests or updates where no response body is needed.
206 Partial Content: The server is delivering only part of the resource. Used for range requests — like when resuming a download or streaming video.

# Check status codes with cURL
curl -I https://run-dev.com
# HTTP/2 200
# content-type: text/html; charset=UTF-8

curl -I https://run-dev.com/nonexistent
# HTTP/2 404

3xx Redirection

These codes tell the client to take additional action, usually following a different URL:

301 Moved Permanently: The resource has permanently moved to a new URL. Search engines transfer SEO value to the new URL. Browsers cache this redirect.
302 Found (Temporary Redirect): The resource is temporarily at a different URL. The original URL should still be used for future requests. Search engines keep indexing the original URL.
304 Not Modified: The resource hasn't changed since the last request. The browser can use its cached version. This saves bandwidth and improves performance.
307 Temporary Redirect: Like 302, but the request method and body must not change. If the original request was POST, the redirect must also be POST.
308 Permanent Redirect: Like 301, but guarantees the method and body won't change. Use this for permanent redirects of POST endpoints.

Understanding redirects is critical for SEO. Use 301 for permanent moves and 302/307 for temporary ones. Check your site's redirects with our DNS Lookup tool.

4xx Client Errors

These indicate the client sent a bad request:

400 Bad Request: The server can't process the request due to malformed syntax. Common causes: invalid JSON body, missing required parameters, or wrong Content-Type header. Use a JSON Formatter to validate your request body.
401 Unauthorized: Authentication is required. The request didn't include valid credentials. Send a valid token or API key in the Authorization header.
403 Forbidden: The server understood the request but refuses to authorize it. Unlike 401, re-authenticating won't help — the user simply doesn't have permission.
404 Not Found: The requested resource doesn't exist. The most famous HTTP error. Check the URL for typos or use our URL Encoder to ensure special characters are properly encoded.
405 Method Not Allowed: The HTTP method isn't supported for this endpoint. For example, sending POST to a read-only endpoint that only accepts GET.
408 Request Timeout: The server timed out waiting for the client's request. This usually means the client was too slow to send data.
409 Conflict: The request conflicts with the current state of the resource. Common in REST APIs when trying to create a duplicate resource.
422 Unprocessable Entity: The server understands the request format but the content is semantically invalid. Common in form validation: "email field must be a valid email address."
429 Too Many Requests: Rate limiting. The client has sent too many requests in a given time period. Check the Retry-After header for when to try again.

5xx Server Errors

These indicate the server failed to fulfill a valid request:

500 Internal Server Error: A generic error message when the server encounters an unexpected condition. This is a catch-all for unhandled exceptions. Check server logs for the actual error.
502 Bad Gateway: The server, acting as a proxy or gateway, received an invalid response from the upstream server. Common with reverse proxies (Nginx, Cloudflare) when the backend app is down.
503 Service Unavailable: The server is temporarily unable to handle requests. Common during deployments, maintenance, or when the server is overloaded. Check for a Retry-After header.
504 Gateway Timeout: The proxy/gateway didn't receive a timely response from the upstream server. Similar to 502 but specifically about timeouts rather than bad responses.
520-527 (Cloudflare-specific): Custom error codes used by Cloudflare. 520 means the origin server returned an unexpected response. 521 means the origin server is down. 522 means connection timed out. Use our SSL Checker to verify your SSL configuration.

Troubleshooting Common Errors

Debugging 400 Bad Request

# Check if your JSON is valid
curl -X POST https://api.example.com/data \
  -H "Content-Type: application/json" \
  -d '{"name": "test"}' \
  -v  # Verbose output shows request/response headers

# Common causes:
# - Invalid JSON syntax (use a JSON Formatter to validate)
# - Missing required fields
# - Wrong Content-Type header
# - URL-encoded data sent as JSON

Debugging 401/403

# Check your authentication
curl -H "Authorization: Bearer YOUR_TOKEN" \
  https://api.example.com/protected -v

# Common causes:
# - Expired token (decode with JWT Decoder)
# - Wrong API key
# - Missing Authorization header
# - Token doesn't have required scopes/permissions

Decode your JWT token with our JWT Decoder to check expiration and claims.

Debugging 500/502/503

# Check if the server is reachable
curl -I https://your-server.com

# Check DNS resolution
nslookup your-server.com

# Check SSL certificate
# Use our SSL Checker tool for a comprehensive check

# Monitor the endpoint
watch -n 5 'curl -s -o /dev/null -w "%{http_code}" https://your-server.com'

Frequently Asked Questions

What's the difference between 401 and 403?

401 Unauthorized means the request lacks valid authentication credentials — you need to log in or provide a token. 403 Forbidden means you're authenticated but don't have permission to access the resource. Re-authenticating won't help with 403.

When should I use 200 vs 201 vs 204?

Use 200 for successful GET/PUT/PATCH requests. Use 201 for successful POST requests that create a new resource. Use 204 for successful DELETE requests or updates where no response body is needed.

What does a 301 redirect mean for SEO?

A 301 (Moved Permanently) redirect tells search engines that a page has permanently moved. Search engines transfer most of the SEO value from the old URL to the new one. Always use 301 for permanent URL changes.

How do I fix a 502 Bad Gateway error?

A 502 means the server acting as gateway got an invalid response from the upstream server. Check if your backend application is running, verify the proxy configuration (Nginx, Apache), check server resource usage (CPU, memory, disk), and review application logs for crashes.