The HTTP Reference

HTTP Status Codes Explained Simply

HTTP Status Codes Explained Simply

The 5 categories of HTTP responses, explained like you're talking to a colleague over coffee.

Every HTTP response includes a three-digit status code. First digit tells you the category, last two give you specifics. Here's what they actually mean in practice.

1xx - "Hold On"

Informational responses. You'll rarely deal with these directly. 100 Continue tells the client "yeah, I got your headers, go ahead and send the body." It matters for large file uploads with the Expect: 100-continue header, but your framework usually handles this for you.

2xx - "Here You Go"

The happy path. Things worked.

200 OK - The standard success response. You asked for something, here it is. Used for successful GET, PUT, and PATCH responses.

201 Created - Something new was created. The correct response for a successful POST that creates a resource. Good practice: include a Location header pointing to the new resource.

204 No Content - Success, but there's nothing to send back. Perfect for DELETE requests or PUT updates where the client doesn't need a response body. Don't return 200 with an empty body when 204 exists.

3xx - "Go Over There"

Redirects. The resource is somewhere else.

301 Moved Permanently - This resource has a new URL forever. Browsers and search engines update their records. Use this for domain migrations or permanent URL changes.

302 Found - Temporary redirect. The resource is at a different URL right now, but might come back. Browsers don't update bookmarks. Here's the catch: 302 technically should preserve the HTTP method, but browsers historically changed POST to GET. That's why 303 and 307 exist.

307 Temporary Redirect - Like 302, but guaranteed to preserve the HTTP method. If the original request was POST, the redirect will also be POST. Use this when method preservation matters.

4xx - "You Messed Up"

Client errors. Something wrong with the request.

400 Bad Request - The server can't understand the request. Malformed JSON, invalid query parameters, missing required fields. Your response body should explain what's wrong.

401 Unauthorized - You need to authenticate. No credentials were provided, or the credentials are invalid. Despite the name, this is about authentication (who are you?), not authorization.

403 Forbidden - You authenticated successfully, but you don't have permission to access this resource. This is about authorization (what can you do?). The difference between 401 and 403 is the #1 most confused pair of status codes. 401 = "I don't know who you are." 403 = "I know who you are, and you can't do that."

404 Not Found - Nothing at this URL. Check for typos, verify the resource exists.

405 Method Not Allowed - The URL exists, but the HTTP method isn't supported. Sending POST to a read-only endpoint, for example. Good practice: include an Allow header listing which methods work.

429 Too Many Requests - Rate limiting kicked in. Include a Retry-After header so the client knows when to try again. Essential for API protection.

5xx - "We Messed Up"

Server errors. Not the client's fault.

500 Internal Server Error - Something unexpected broke. Unhandled exceptions, null reference errors, database connection failures. The generic "something went wrong" code. Log the actual error server-side and return a safe message to the client.

502 Bad Gateway - A proxy or load balancer tried to reach the upstream server and got a bad response. If you see this from Cloudflare or nginx, your origin server is probably down or returning garbage.

503 Service Unavailable - The server is overloaded or down for maintenance. Unlike 500, this implies the condition is temporary. Include a Retry-After header if you know when service will resume.

Rules of Thumb

Need the full reference? Check out the complete HTTP status codes reference with descriptions and real-world examples for every code.

← Back to home