HTTP Status Code Reference

Search the full list of HTTP status codes — from 100 Continue to 511 Network Authentication Required — with concise explanations.

1xx Informational

100Continue

The server has received the request headers and the client should proceed to send the request body.

101Switching Protocols

The requester has asked the server to switch protocols and the server has agreed to do so.

102Processing

The server has received and is processing the request, but no response is available yet (WebDAV).

103Early Hints

Used to return some response headers before final HTTP message — useful for preload hints.

2xx Success

200OK

Standard response for successful HTTP requests.

201Created

The request has been fulfilled and a new resource has been created.

202Accepted

The request has been accepted for processing, but the processing has not been completed.

204No Content

The server successfully processed the request and is not returning any content.

205Reset Content

The server successfully processed the request, but the client should reset the document view.

206Partial Content

The server is delivering only part of the resource due to a range header sent by the client.

3xx Redirection

301Moved Permanently

This and all future requests should be directed to the given URI. Method may change to GET.

302Found

Tells the client to look at another URL — historically the most commonly used redirect.

303See Other

The response can be found under another URI using the GET method.

304Not Modified

Indicates the resource has not been modified since last request — cached version is still valid.

307Temporary Redirect

The request should be repeated with another URI but future requests can still use the original.

308Permanent Redirect

The request and all future requests should be repeated using another URI with the same method.

4xx Client Error

400Bad Request

The server cannot or will not process the request due to an apparent client error.

401Unauthorized

Authentication is required and has failed or has not yet been provided.

403Forbidden

The request was valid but the server is refusing action — the client is authenticated but not authorized.

404Not Found

The requested resource could not be found but may be available in the future.

405Method Not Allowed

A request method is not supported for the requested resource.

406Not Acceptable

The requested resource is incapable of generating content acceptable per the Accept headers.

408Request Timeout

The server timed out waiting for the request.

409Conflict

The request could not be processed because of conflict in the current state of the resource.

410Gone

Indicates the resource is no longer available and will not be available again.

411Length Required

The request did not specify the length of its content, which is required.

412Precondition Failed

The server does not meet one of the preconditions specified in the request headers.

413Payload Too Large

The request is larger than the server is willing or able to process.

414URI Too Long

The URI provided was too long for the server to process.

415Unsupported Media Type

The request entity has a media type which the server or resource does not support.

418I'm a teapot

RFC 2324 April Fool's joke — a teapot cannot brew coffee. Not for real APIs.

422Unprocessable Entity

The request was well-formed but unable to be followed due to semantic errors. Common in JSON APIs for validation failure.

423Locked

The resource that is being accessed is locked (WebDAV).

425Too Early

Indicates that the server is unwilling to risk processing a request that might be replayed.

426Upgrade Required

The client should switch to a different protocol such as TLS/1.3.

428Precondition Required

The origin server requires the request to be conditional.

429Too Many Requests

The user has sent too many requests in a given amount of time (rate limiting).

431Request Header Fields Too Large

The server is unwilling to process the request because either an individual header field, or all the headers collectively, are too large.

451Unavailable For Legal Reasons

A server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource.

5xx Server Error

500Internal Server Error

A generic error message, given when an unexpected condition was encountered and no more specific message is suitable.

501Not Implemented

The server either does not recognize the request method, or it lacks the ability to fulfil the request.

502Bad Gateway

The server was acting as a gateway or proxy and received an invalid response from the upstream server.

503Service Unavailable

The server is currently unavailable (because it is overloaded or down for maintenance). Use Retry-After.

504Gateway Timeout

The server was acting as a gateway and did not receive a timely response from the upstream server.

505HTTP Version Not Supported

The server does not support the HTTP protocol version used in the request.

507Insufficient Storage

The server is unable to store the representation needed to complete the request (WebDAV).

508Loop Detected

The server detected an infinite loop while processing the request (WebDAV).

511Network Authentication Required

The client needs to authenticate to gain network access — used by captive portals.

521Web Server Is Down (Cloudflare)

Cloudflare-specific code: the origin server has refused the connection.

522Connection Timed Out (Cloudflare)

Cloudflare-specific code: a connection to the origin server timed out.

525SSL Handshake Failed (Cloudflare)

Cloudflare-specific code: the SSL handshake between Cloudflare and the origin failed.

HTTP status code anatomy

HTTP status codes are three-digit numbers returned by a server in response to every request. The first digit identifies the class of response: 1xx is informational, 2xx is success, 3xx is redirection, 4xx is client error (the request was malformed or unauthorised), and 5xx is server error (the server failed to fulfil a valid request). The remaining two digits identify the specific condition.

The codes are defined by RFC 9110 (the current HTTP semantics specification, replacing RFC 7231) and a handful of supplementary RFCs. Every well-behaved server should return the most specific code that applies — for example 422 Unprocessable Entity is more useful than a generic 400 when the request body is syntactically valid but semantically wrong.

Use the search box to filter by numeric code, name, or category. The reference covers all standard codes plus the most commonly seen unofficial codes (418 I'm a teapot, 451 Unavailable For Legal Reasons, Cloudflare's 5xx range).

Use cases

Look up what 422 means before designing a validation API.
Decide between 401 Unauthorized and 403 Forbidden when writing an authentication middleware.
Confirm that the response your CDN is returning matches the documented code.
Train a new engineer on the difference between 301 and 308 redirects.
Quickly explain a Cloudflare 525 to a non-technical stakeholder.

Best practices

Return 401 for missing or invalid credentials and 403 for authenticated-but-unauthorised users — they are not interchangeable.
Prefer 308 over 301 when redirecting non-GET methods so the request method is preserved.
Use 503 with a Retry-After header for planned maintenance windows.
Never return 200 with an error body — clients will treat the response as success and ignore the embedded error.
Match Cache-Control to the status: 4xx and 5xx responses should usually be marked no-store.

Frequently asked questions

What is the difference between 401 and 403?

401 means "you are not authenticated" — credentials are missing or wrong. 403 means "you are authenticated but not authorised" — the server knows who you are and refuses anyway.

When should I use 422 instead of 400?

422 Unprocessable Entity signals that the request body parsed correctly but failed semantic validation. 400 Bad Request signals a malformed request the server could not parse at all.

Is 418 a real status code?

It is reserved by RFC 2324 (the Hyper Text Coffee Pot Control Protocol April Fool's joke). Major frameworks ship it as a curiosity but no real API should use it.

What does 308 do that 301 does not?

308 Permanent Redirect requires the client to repeat the request with the same method. 301 historically allowed clients to switch from POST to GET, which can break non-idempotent operations.