Standardized three-digit codes returned by HTTP servers to indicate the result of a client request.
Table of Contents#
- Overview
- 1xx Informational
- 2xx Success
- 3xx Redirection
- 4xx Client Errors
- 5xx Server Errors
- Non-Standard Codes
- HTTP/2 and HTTP/3 Notes
- Troubleshooting
- See Also
- Sources
1. Overview#
HTTP status codes are defined primarily in RFC 9110 (HTTP Semantics). Every HTTP response includes a three-digit status code grouped into five classes by the first digit. Servers, proxies, and load balancers all use these codes to communicate the outcome of a request. Understanding them is essential for debugging web applications, configuring reverse proxies, and writing API clients.
2. 1xx Informational#
Informational responses indicate that the request was received and the server is continuing to process it. The client should wait for a final response. These are interim responses; no body is included.
| Code | Name | Description | Common Use Case |
|---|---|---|---|
| 100 | Continue | The initial part of the request was received; the client should continue sending the body. | Large file uploads with Expect: 100-continue header |
| 101 | Switching Protocols | The server is switching to the protocol requested via the Upgrade header. | WebSocket handshake (Upgrade: websocket) |
| 102 | Processing | The server has received the request and is still processing it (WebDAV). | Long-running WebDAV operations |
| 103 | Early Hints | Allows the server to send preliminary headers before the final response. | Preloading CSS/JS via Link headers while the server prepares the response |
3. 2xx Success#
Success codes indicate that the request was received, understood, and accepted.
| Code | Name | Description | Common Use Case |
|---|---|---|---|
| 200 | OK | The request succeeded. The meaning depends on the HTTP method used. | Standard successful GET, POST, PUT responses |
| 201 | Created | The request succeeded and a new resource was created. | REST API after successful POST creating a resource |
| 202 | Accepted | The request was accepted for processing, but processing is not complete. | Asynchronous job queues, batch operations |
| 203 | Non-Authoritative Information | The response metadata is from a local or third-party copy, not the origin server. | Responses modified by a transforming proxy |
| 204 | No Content | The request succeeded but there is no content to return. | Successful DELETE requests, form submissions without redirect |
| 205 | Reset Content | The server asks the client to reset the document that sent the request. | Form reset after submission |
| 206 | Partial Content | The server is delivering only a portion of the resource due to a Range header. | Video streaming, resumable downloads |
| 207 | Multi-Status | Conveys information about multiple resources in a single response (WebDAV). | Batch operations returning per-item status |
| 208 | Already Reported | Members of a DAV binding were already enumerated in a previous part of a multi-status response. | Avoiding duplicate entries in WebDAV responses |
| 226 | IM Used | The server fulfilled a GET request using instance manipulations (delta encoding). | Efficient resource updates via RFC 3229 |
4. 3xx Redirection#
Redirection codes indicate the client must take additional action to complete the request, usually following a Location header.
| Code | Name | Description | Common Use Case |
|---|---|---|---|
| 300 | Multiple Choices | The request has more than one possible response; the client should choose. | Content negotiation with multiple representations |
| 301 | Moved Permanently | The resource has been permanently moved to a new URL. Search engines update their index. | Domain migration, HTTP-to-HTTPS redirect |
| 302 | Found | The resource is temporarily at a different URI. The original URI should still be used for future requests. | Temporary redirect during maintenance |
| 303 | See Other | The server directs the client to retrieve the resource at another URI via GET. | Redirect after POST (Post/Redirect/Get pattern) |
| 304 | Not Modified | The resource has not changed since the version specified by If-None-Match or If-Modified-Since. | Browser cache validation, CDN cache revalidation |
| 305 | Use Proxy | The requested resource must be accessed through a proxy (deprecated). | Discontinued; do not use |
| 307 | Temporary Redirect | Same as 302, but the client must not change the HTTP method on redirect. | API temporary redirects preserving POST method |
| 308 | Permanent Redirect | Same as 301, but the client must not change the HTTP method on redirect. | Permanent API endpoint migration preserving method |
Key difference between 301/302 and 307/308: The older codes (301, 302) historically allowed clients to change POST to GET on redirect. The newer codes (307, 308) strictly preserve the original method.
5. 4xx Client Errors#
Client error codes indicate the request contains an error or cannot be fulfilled as sent.
| Code | Name | Description | Common Use Case |
|---|---|---|---|
| 400 | Bad Request | The server cannot process the request due to malformed syntax. | Invalid JSON body, missing required parameters |
| 401 | Unauthorized | The client must authenticate to access the resource. Includes a WWW-Authenticate header. | Missing or expired authentication token |
| 402 | Payment Required | Reserved for future use. Occasionally used for paywall or quota-exceeded responses. | API billing limits, premium content gates |
| 403 | Forbidden | The client is authenticated but lacks permission to access the resource. | Insufficient role or scope for the requested action |
| 404 | Not Found | The server cannot find the requested resource. | Wrong URL, deleted resource |
| 405 | Method Not Allowed | The HTTP method is recognized but not allowed for this resource. Must include an Allow header. | Sending POST to a read-only endpoint |
| 406 | Not Acceptable | The server cannot produce a response matching the Accept headers sent by the client. | Requesting XML from a JSON-only API |
| 407 | Proxy Authentication Required | Similar to 401, but the client must authenticate with an intermediate proxy. | Corporate proxy requiring credentials |
| 408 | Request Timeout | The server timed out waiting for the client to finish sending the request. | Slow or stalled client connections |
| 409 | Conflict | The request conflicts with the current state of the resource. | Concurrent edit conflict, duplicate resource creation |
| 410 | Gone | The resource has been permanently removed with no forwarding address. Unlike 404, this is intentional. | Deliberately retired API endpoints |
| 411 | Length Required | The server requires a Content-Length header that was not provided. | Uploads without content length |
| 412 | Precondition Failed | A condition in the request headers (If-Match, If-Unmodified-Since) evaluated to false. | Optimistic concurrency control failure |
| 413 | Content Too Large | The request body exceeds the server's size limit. | File upload exceeding client_max_body_size |
| 414 | URI Too Long | The request URI exceeds the server's length limit. | Extremely long query strings |
| 415 | Unsupported Media Type | The media type in Content-Type is not supported by the server. | Sending XML to a JSON-only endpoint |
| 416 | Range Not Satisfiable | The Range header specifies a range outside the resource's size. | Requesting bytes beyond end of file |
| 417 | Expectation Failed | The server cannot meet the Expect header requirements. | Expect: 100-continue rejected |
| 418 | I'm a Teapot | The server refuses to brew coffee because it is a teapot (RFC 2324). | Easter egg, API humor |
| 421 | Misdirected Request | The request was directed at a server unable to produce a response for the target URI. | HTTP/2 connection coalescing mismatch |
| 422 | Unprocessable Content | The request is syntactically valid but semantically incorrect. | Validation errors in a well-formed JSON body |
| 423 | Locked | The resource is currently locked (WebDAV). | Concurrent editing protection |
| 424 | Failed Dependency | The request failed because a prerequisite request failed (WebDAV). | Batch operation where a dependency failed |
| 426 | Upgrade Required | The server refuses the current protocol; the client must upgrade (e.g., to TLS). | Forcing HTTPS or HTTP/2 upgrade |
| 428 | Precondition Required | The server requires conditional headers (If-Match) to prevent lost updates. | Protecting against concurrent modifications |
| 429 | Too Many Requests | The client has exceeded the rate limit. May include a Retry-After header. | API rate limiting, brute force protection |
| 431 | Request Header Fields Too Large | The server refuses the request because headers are too large. | Oversized cookies or authorization headers |
| 451 | Unavailable For Legal Reasons | The resource is unavailable due to legal demands (e.g., government censorship). | DMCA takedowns, geo-restricted content |
6. 5xx Server Errors#
Server error codes indicate the server failed to fulfill a valid request.
| Code | Name | Description | Common Use Case |
|---|---|---|---|
| 500 | Internal Server Error | A generic server error when no more specific code applies. | Unhandled exception in application code |
| 501 | Not Implemented | The server does not support the HTTP method used. | Server lacks PATCH or DELETE support |
| 502 | Bad Gateway | The server, acting as a gateway or proxy, received an invalid response from the upstream. | Backend crashed or returned malformed response |
| 503 | Service Unavailable | The server is temporarily unable to handle the request (overloaded or in maintenance). | Deployment in progress, circuit breaker open |
| 504 | Gateway Timeout | The server, acting as a gateway or proxy, did not receive a timely response from the upstream. | Backend took too long to respond |
| 505 | HTTP Version Not Supported | The server does not support the HTTP version used in the request. | Client using HTTP/0.9 against a modern server |
| 506 | Variant Also Negotiates | Circular reference in transparent content negotiation. | Misconfigured content negotiation |
| 507 | Insufficient Storage | The server cannot store the representation needed to complete the request (WebDAV). | Disk full during file upload |
| 508 | Loop Detected | The server detected an infinite loop while processing the request (WebDAV). | Circular symlinks or recursive bindings |
| 510 | Not Extended | Further extensions to the request are required for the server to fulfill it. | Missing required HTTP extension |
| 511 | Network Authentication Required | The client must authenticate to gain network access. | Captive portal (hotel/airport WiFi) |
7. Non-Standard Codes#
These codes are not part of any RFC but are used by specific software. They may appear in logs from Nginx, Cloudflare, or other infrastructure.
| Code | Name | Origin | Description |
|---|---|---|---|
| 444 | Connection Closed Without Response | Nginx | Nginx closed the connection without sending a response. Used to reject malicious requests. |
| 499 | Client Closed Request | Nginx | The client closed the connection before the server finished responding. |
| 520 | Web Server Returned an Unknown Error | Cloudflare | The origin returned an unexpected response. |
| 521 | Web Server Is Down | Cloudflare | The origin server refused the connection from Cloudflare. |
| 522 | Connection Timed Out | Cloudflare | Cloudflare could not establish a TCP connection to the origin. |
| 523 | Origin Is Unreachable | Cloudflare | Cloudflare could not reach the origin due to DNS errors. |
| 524 | A Timeout Occurred | Cloudflare | Cloudflare established a TCP connection but the origin did not respond in time. |
| 525 | SSL Handshake Failed | Cloudflare | Cloudflare could not complete an SSL/TLS handshake with the origin. |
| 599 | Network Connect Timeout Error | Non-standard | Connection timed out due to an overloaded server or infrastructure error. |
8. HTTP/2 and HTTP/3 Notes#
HTTP/2 and HTTP/3 use the same status codes as HTTP/1.1, but there are behavioral differences worth noting:
- No 101 Switching Protocols in HTTP/2 or HTTP/3. Protocol negotiation happens at the TLS layer via ALPN (Application-Layer Protocol Negotiation), not via the
Upgradeheader. WebSocket over HTTP/2 uses the CONNECT method instead (RFC 8441). - 421 Misdirected Request becomes more relevant in HTTP/2, where connection coalescing may cause a client to reuse a connection for a different hostname. The server returns 421 to signal the client should open a new connection.
- HTTP/3 (QUIC) uses UDP instead of TCP. Status codes remain identical, but transport-level errors (connection migration, packet loss) are handled below the HTTP layer and do not produce HTTP status codes.
- 103 Early Hints is particularly useful with HTTP/2 server push deprecation, allowing servers to suggest preloading resources before the final response is ready.
- GOAWAY frame (HTTP/2) and CONNECTION_CLOSE frame (HTTP/3) are not HTTP status codes but transport-level signals that a connection is being closed. They may appear in logs alongside status codes.
Troubleshooting#
| Issue | Cause | Solution |
|---|---|---|
| Seeing 502 in reverse proxy logs | Backend server is down or returning invalid response | Check backend health; verify upstream address and port |
| 504 during peak traffic | Backend processing time exceeds proxy timeout | Increase proxy_read_timeout (Nginx) or timeout server (HAProxy) |
| 301 redirect loop | Misconfigured HTTP-to-HTTPS redirect with proxy | Set X-Forwarded-Proto and check it before redirecting |
| 413 on file uploads | Server body size limit too low | Increase client_max_body_size (Nginx) or tune.bufsize (HAProxy) |
| 429 from API | Client exceeding rate limits | Implement backoff; check Retry-After header |
| 499 in Nginx logs | Client disconnected before server finished | Usually benign; investigate if frequent (slow backends) |
| 400 on valid-looking requests | Oversized headers or malformed encoding | Check cookie sizes; increase large_client_header_buffers |
See Also#
Sources#
- https://www.rfc-editor.org/rfc/rfc9110 (RFC 9110, HTTP Semantics)
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
- https://www.rfc-editor.org/rfc/rfc8441 (WebSocket over HTTP/2)
- https://www.rfc-editor.org/rfc/rfc9114 (HTTP/3)