The complete HTTP status code reference
Every HTTP response carries a 3-digit status code. The first digit indicates the category (1=info, 2=success, 3=redirect, 4=client error, 5=server error). Here are all the codes you'll see in real traffic, plus what each means.
1xx — Informational
| Code | Status | Meaning |
|---|
| 100 | Continue | Initial part of request received, continue. Used with Expect: 100-continue. |
| 101 | Switching Protocols | Server agrees to switch protocols (HTTP→WebSocket upgrade). |
| 103 | Early Hints | Preload hints sent before final response. Used by Cloudflare for performance. |
2xx — Success
| Code | Status | Meaning |
|---|
| 200 | OK | Standard success. Most common response. |
| 201 | Created | Resource created. Usually with a Location header pointing to the new resource. |
| 202 | Accepted | Accepted for processing but not complete. Async operations. |
| 204 | No Content | Success, nothing to return. Common for DELETE and PUT. |
| 206 | Partial Content | Range request fulfilled. Video streaming, resumable downloads. |
3xx — Redirection
| Code | Status | When to use |
|---|
| 301 | Moved Permanently | Resource has moved forever. Search engines update their index. Cacheable. |
| 302 | Found | Temporary redirect. Historically browsers GET-ify POSTs after this. |
| 303 | See Other | Always GET the new URL. Used after POST to redirect to the result. |
| 304 | Not Modified | Conditional GET — your cached copy is still valid. No body returned. |
| 307 | Temporary Redirect | Same as 302 but explicitly preserves method (POST stays POST). |
| 308 | Permanent Redirect | Same as 301 but explicitly preserves method. |
301 vs 302 in practice
Use 301 when the URL has permanently changed (renamed pages, new domain). Search engines transfer ranking signals. Use 302 for temporary redirects (A/B tests, maintenance, login redirects). Picking the wrong one can hurt SEO badly.
4xx — Client Error
| Code | Status | Meaning |
|---|
| 400 | Bad Request | Generic client error — malformed JSON, missing field. |
| 401 | Unauthorized | No (or invalid) auth. Must include WWW-Authenticate header. |
| 402 | Payment Required | Originally reserved for paid APIs. Stripe and some others use it. |
| 403 | Forbidden | Authenticated but lack permission. Don't retry with same creds. |
| 404 | Not Found | Resource doesn't exist. May also hide that 403 would apply. |
| 405 | Method Not Allowed | Resource exists but you used the wrong method (GET instead of POST). |
| 408 | Request Timeout | Client took too long to send the request. |
| 409 | Conflict | Request conflicts with current state. Optimistic locking, version mismatch. |
| 410 | Gone | Resource permanently removed. Stronger than 404 — search engines deindex. |
| 413 | Payload Too Large | Request body exceeds server's limit. |
| 414 | URI Too Long | URL exceeds the limit (usually around 8 KB). |
| 415 | Unsupported Media Type | Server can't process this Content-Type. |
| 418 | I'm a teapot | April Fool's joke from 1998 (RFC 2324). Some sites use it for "blocked". |
| 422 | Unprocessable Entity | JSON parsed but semantically wrong. Validation errors. |
| 429 | Too Many Requests | Rate limited. Retry-After header tells you when. |
| 431 | Request Header Fields Too Large | Headers exceed server limit. Often too-many cookies. |
| 451 | Unavailable For Legal Reasons | Content blocked by court order. Named after Fahrenheit 451. |
5xx — Server Error
| Code | Status | Meaning |
|---|
| 500 | Internal Server Error | Generic server error. Stack trace ate the request. Check logs. |
| 501 | Not Implemented | Server doesn't recognize the method (PATCH on a server that doesn't support it). |
| 502 | Bad Gateway | Reverse proxy got an invalid response from upstream. Backend is down. |
| 503 | Service Unavailable | Server overloaded or under maintenance. Retry-After may say when. |
| 504 | Gateway Timeout | Reverse proxy timed out waiting for upstream. Backend is slow. |
| 507 | Insufficient Storage | Server is out of disk (WebDAV). |
| 511 | Network Authentication Required | Captive portal — sign in to Wi-Fi to continue. |
| 520-527 | Cloudflare codes | 520=Unknown, 521=Web Server Down, 522=Timeout, 523=Origin Unreachable, 524=Timeout, 525=SSL Handshake, 526=Invalid SSL. |
Quick reference: when to return which code
| Scenario | Code |
|---|
| GET request worked | 200 |
| POST created a new resource | 201 (with Location header) |
| DELETE succeeded | 204 or 200 |
| User not logged in | 401 |
| User logged in but lacks permission | 403 |
| JSON validation failed | 422 (or 400) |
| Rate limit hit | 429 (with Retry-After) |
| Permanent URL change | 301 |
| Temporary URL change (login flow, A/B test) | 302 or 307 |
| Database connection failed | 503 |
| Unhandled exception in your code | 500 |
