HTTP Status Codes: Complete Reference Guide (2026)

HTTP status codes are three-digit responses from web servers that tell you whether a request succeeded or failed, and why. Understanding these codes is essential for web development, API design, debugging, and troubleshooting. This comprehensive guide covers every HTTP status code you need to know.

What Are HTTP Status Codes?

When your browser requests a web page or your application calls an API, the server responds with a status code indicating what happened. These codes are grouped into five categories:

• 1xx Informational — Request received, continuing process
• 2xx Success — Request successfully received and processed
• 3xx Redirection — Further action needed to complete request
• 4xx Client Error — Request contains bad syntax or cannot be fulfilled
• 5xx Server Error — Server failed to fulfill a valid request

1xx — Informational Responses

These codes indicate that the request was received and the process is continuing. Rarely seen in practice.

100 Continue

The server has received the request headers and the client should proceed to send the request body. Used with large uploads when the client wants confirmation before sending data.

HTTP/1.1 100 Continue

101 Switching Protocols

The server is switching to a different protocol as requested by the client. Common with WebSocket connections.

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade

102 Processing

The server has received and is processing the request, but no response is available yet. Prevents the client from timing out.

103 Early Hints

Used to return some response headers before the final response. Helps with preloading resources.

2xx — Success

These codes indicate the request was successfully received, understood, and accepted.

200 OK

The most common success code. The request succeeded and the response contains the requested data.

GET /api/users/123
HTTP/1.1 200 OK
Content-Type: application/json

{"id": 123, "name": "John Doe"}

Use for: Successful GET, POST (with response), PUT, PATCH, DELETE requests

201 Created

A new resource was successfully created. The response should include a Location header pointing to the new resource.

POST /api/users
HTTP/1.1 201 Created
Location: /api/users/456

{"id": 456, "name": "Jane Smith"}

Use for: POST requests that create new resources

202 Accepted

The request was accepted for processing, but processing is not complete. Used for async operations.

POST /api/jobs/process
HTTP/1.1 202 Accepted

{"job_id": "abc123", "status": "processing"}

Use for: Background jobs, batch operations, long-running tasks

203 Non-Authoritative Information

The request was successful but the returned metadata is from a cached copy, not the origin server.

204 No Content

The request succeeded but there's no content to return. The client should not update its view.

DELETE /api/users/123
HTTP/1.1 204 No Content

Use for: DELETE requests, PUT/PATCH with no response body needed

205 Reset Content

The request succeeded and the client should reset the document view (e.g., clear a form).

206 Partial Content

The server is delivering only part of the resource due to a range header sent by the client. Used for resumable downloads and video streaming.

GET /video.mp4
Range: bytes=0-1023

HTTP/1.1 206 Partial Content
Content-Range: bytes 0-1023/1048576

3xx — Redirection

These codes indicate the client must take additional action to complete the request.

300 Multiple Choices

Multiple options for the resource are available. Rarely used.

301 Moved Permanently

The resource has permanently moved to a new URL. Search engines will update their links.

GET /old-page
HTTP/1.1 301 Moved Permanently
Location: /new-page

Use for: Permanent URL changes, HTTPS redirects, domain migrations

302 Found (Temporary Redirect)

The resource temporarily resides at a different URL. The original URL should still be used for future requests.

GET /sale
HTTP/1.1 302 Found
Location: /summer-sale

Use for: Temporary redirects, A/B testing, maintenance pages

303 See Other

The response can be found at another URL using GET. Used to redirect after a POST.

POST /api/orders
HTTP/1.1 303 See Other
Location: /orders/789

304 Not Modified

The resource hasn't been modified since the version specified in the request headers. The client can use the cached version.

GET /style.css
If-None-Match: "abc123"

HTTP/1.1 304 Not Modified

Use for: Cache validation, reducing bandwidth

307 Temporary Redirect

Like 302, but guarantees the request method won't change on redirect. A POST stays a POST.

308 Permanent Redirect

Like 301, but guarantees the request method won't change on redirect.

4xx — Client Errors

These codes indicate the request contains bad syntax or cannot be fulfilled.

400 Bad Request

The server cannot process the request due to client error (malformed syntax, invalid JSON, etc.).

POST /api/users
Content-Type: application/json

{"name": "John"  // Invalid JSON - missing closing brace

HTTP/1.1 400 Bad Request
{"error": "Invalid JSON syntax"}

Use for: Validation errors, malformed requests, missing required fields

401 Unauthorized

Authentication is required but was not provided or failed. The client should authenticate and try again.

GET /api/account
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer

{"error": "Authentication required"}

Use for: Missing credentials, invalid tokens, expired sessions

402 Payment Required

Reserved for future use. Originally intended for digital payment systems.

403 Forbidden

The server understood the request but refuses to authorize it. Unlike 401, authenticating won't help.

DELETE /api/admin/users
Authorization: Bearer valid-token

HTTP/1.1 403 Forbidden
{"error": "Insufficient permissions"}

Use for: Permission denied, access to admin-only resources, blocked users

404 Not Found

The most famous error code. The requested resource doesn't exist on the server.

GET /api/users/999999
HTTP/1.1 404 Not Found

{"error": "User not found"}

Use for: Non-existent resources, deleted items, invalid URLs

405 Method Not Allowed

The request method is not supported for this resource. Should include an Allow header listing valid methods.

POST /api/users/123  // Trying to create at specific ID
HTTP/1.1 405 Method Not Allowed
Allow: GET, PUT, DELETE

{"error": "POST not allowed for specific user"}

406 Not Acceptable

The server cannot produce a response matching the acceptable values in the request's Accept headers.

407 Proxy Authentication Required

Like 401, but authentication must be done with the proxy.

408 Request Timeout

The server timed out waiting for the request. The client may repeat the request.

409 Conflict

The request conflicts with the current state of the server. Often used for concurrent modification issues.

PUT /api/users/123
If-Match: "old-etag"

HTTP/1.1 409 Conflict
{"error": "Resource was modified by another request"}

Use for: Duplicate resources, concurrent updates, version conflicts

410 Gone

The resource is permanently gone and won't be available again. Unlike 404, this is intentional and permanent.

GET /api/v1/old-endpoint
HTTP/1.1 410 Gone

{"error": "This API version was deprecated on 2025-01-01"}

411 Length Required

The server requires a Content-Length header.

412 Precondition Failed

One or more conditions in the request header fields evaluated to false.

413 Payload Too Large

The request entity is larger than the server is willing or able to process.

POST /api/upload
Content-Length: 50000000

HTTP/1.1 413 Payload Too Large
{"error": "File size exceeds 10MB limit"}

414 URI Too Long

The URI is longer than the server is willing to interpret. Usually happens with GET requests with too many query parameters.

415 Unsupported Media Type

The server refuses to accept the request because the payload format is unsupported.

POST /api/users
Content-Type: text/plain

name=John

HTTP/1.1 415 Unsupported Media Type
{"error": "Expected application/json"}

416 Range Not Satisfiable

The range specified by the Range header cannot be fulfilled.

417 Expectation Failed

The server cannot meet the requirements of the Expect header.

418 I'm a teapot

An April Fools' joke from 1998 (RFC 2324). Some servers implement it for fun.

422 Unprocessable Entity

The request was well-formed but contains semantic errors. Common with API validation.

POST /api/users
{"email": "not-an-email", "age": -5}

HTTP/1.1 422 Unprocessable Entity
{
  "errors": {
    "email": "Invalid email format",
    "age": "Age must be positive"
  }
}

Use for: Validation errors, business logic violations

423 Locked

The resource is locked and cannot be accessed.

424 Failed Dependency

The request failed because it depended on another request that failed.

425 Too Early

The server is unwilling to process a request that might be replayed.

426 Upgrade Required

The client should switch to a different protocol.

428 Precondition Required

The server requires the request to be conditional (e.g., include If-Match).

429 Too Many Requests

The user has sent too many requests in a given time (rate limiting).

GET /api/search
HTTP/1.1 429 Too Many Requests
Retry-After: 60

{"error": "Rate limit exceeded. Try again in 60 seconds"}

Use for: API rate limiting, DDoS protection, abuse prevention

431 Request Header Fields Too Large

The server is unwilling to process the request because header fields are too large.

451 Unavailable For Legal Reasons

The resource is unavailable due to legal reasons (censorship, DMCA takedown, etc.).

5xx — Server Errors

These codes indicate the server failed to fulfill a valid request.

500 Internal Server Error

The generic error response. The server encountered an unexpected condition that prevented it from fulfilling the request.

GET /api/users
HTTP/1.1 500 Internal Server Error

{"error": "An unexpected error occurred"}

Use for: Unhandled exceptions, database errors, generic failures

501 Not Implemented

The server does not support the functionality required to fulfill the request.

TRACE /api/users
HTTP/1.1 501 Not Implemented

{"error": "TRACE method not implemented"}

502 Bad Gateway

The server, while acting as a gateway or proxy, received an invalid response from the upstream server.

GET /api/users
HTTP/1.1 502 Bad Gateway

{"error": "Upstream service unavailable"}

Common causes: Backend server down, network issues, misconfigured proxy

503 Service Unavailable

The server is temporarily unable to handle the request. Usually due to maintenance or overload.

GET /api/users
HTTP/1.1 503 Service Unavailable
Retry-After: 3600

{"error": "Service under maintenance"}

Use for: Scheduled maintenance, server overload, deployment

504 Gateway Timeout

The server, while acting as a gateway, did not receive a timely response from the upstream server.

GET /api/slow-operation
HTTP/1.1 504 Gateway Timeout

{"error": "Request timed out"}

505 HTTP Version Not Supported

The server does not support the HTTP protocol version used in the request.

506 Variant Also Negotiates

Transparent content negotiation resulted in a circular reference.

507 Insufficient Storage

The server is unable to store the representation needed to complete the request.

508 Loop Detected

The server detected an infinite loop while processing the request.

510 Not Extended

Further extensions to the request are required for the server to fulfill it.

511 Network Authentication Required

The client needs to authenticate to gain network access (common with captive portals).

Best Practices

For API Design

• Use the right code: Don't return 200 for errors or 404 for validation failures
• Be consistent: Use the same codes for the same situations across your API
• Include error details: Return helpful error messages in the response body
• Document codes: List which codes your API can return for each endpoint

For Web Applications

• Custom error pages: Create user-friendly 404/500 pages instead of showing defaults
• Use 301 for SEO: Permanent redirects pass link equity to the new URL
• Leverage caching: Use 304 to reduce bandwidth and improve performance
• Handle errors gracefully: Show helpful messages, not raw error codes

Common Mistakes to Avoid

• 200 with error in body: Always use the appropriate 4xx/5xx code
• 404 for business logic errors: Use 422 for validation, 403 for permissions
• 500 for expected errors: Use specific 4xx codes when possible
• Confusing 401 and 403: 401 = not authenticated, 403 = authenticated but forbidden
• Using 302 instead of 301: Use 301 for permanent changes for better SEO

Quick Reference Table

Testing HTTP Status Codes

You can test status codes using various tools:

curl Command Line

# Get status code only
curl -o /dev/null -s -w "%{http_code}\n" https://example.com

# Include headers
curl -i https://example.com

# Follow redirects
curl -L https://example.com

Browser DevTools

Open DevTools (F12) → Network tab → See status codes for all requests

Online Tools

• httpstat.us — Returns any status code you specify
• httpbin.org — HTTP testing service

Conclusion

Understanding HTTP status codes is fundamental to web development and API design. Use them correctly to:

• Communicate what happened clearly
• Enable proper error handling
• Improve debugging experience
• Build better APIs and web applications

Bookmark this guide and refer back whenever you need clarification on a specific code. The right status code makes all the difference in creating a professional, debuggable system.