The 6 Types of HTTP Status Codes Explained

Last Edited September 11, 2023 by Garenne Bigby in Blog

HTTP or Hypertext Transfer Protocol response status codes include status codes from internet standards, other IETF RFCs, IETF, and others. The first digit of the status code indicates one of the five classes of response. These classes must be recognized by an HTTP client. The Internet Assigned Numbers Authority (IANA) governs the official registry of HTTP status codes. Additional decimal sub-codes provide a little more specific information and direction. The following list details what each of the five classes mean as well as the specific decimal sub-codes under each class.

1xx

Codes under the 1xx coding specify a provisional response. These responses are comprised of optional headers and the status-line and is completed by an empty line. No required headers are needed for this class of status code. Servers are not allowed to send a 1xx response to an HTTP/1.0 client unless certain conditions exist. This is because HTTP/1.0 did not define any 1xx status codes. Keep in mind that a client must be prepared to accept one or more 1xx status responses before a regular response. This is even if the client does not expect a 100 (Continue) status message. However, unexpected 1xx status responses can be ignored by a user agent.

100 Continue

This code describes an incident where the server has received the request headers and the client can go ahead and now send the request. Sending a larger request body to a server after a request has already been rejected due to inappropriate headers is not proper. A client wanting to have a server verify the request’s headers needs to send “Expect: 100-continue” as a header in its first request and receive a 100 Continue status code in response before sending the body. A response of “417 Expectation Failed” is an indication that the request should be discontinued.

101 Switching Protocols

This status response indicates that the entity making the request has asked the server to change protocols and the server has acquiesce to the request.

102 Processing (WebDAV; RFC 2518)

This code indicates that a server has received a WebDAV request and is processing it. A WebDAV request can contain many sub-requests within it and can also require a long time to fulfill the application. This code can prevent the client from timing out presuming that the request was missing.

2xx

The class of codes under 2xx indicate that the server has received client’s request, understands said request, accepts it and has processed it successfully.

200 OK

A response of 200 OK is a standard response for any successful HTTP request. It depends on the type of request in terms of what response is issued. When it comes to a “GET request,” the response will have a unit that corresponds to the request. In a “POST” request, the response contains an entity describing the end result.

201 Created

This code indicates that a request has been fulfilled and has resulted in the creation of a new resource.

202 Accepted

A 202 Accepted code means that the request has been confirmed and accepted for processing; however, the procedure has not been completed. While it is processing, the request may or may not ultimately be acted upon or it may be forbidden when the processing occurs.

203 Non-Authoritative Information (since HTTP/1.1)

This response indicates that the server, as a transforming proxy or Web accelerator, has received a 200 OK from its origin but is returning a modified version of the origin’s response.

204 No Content

A 204 No Content status response means that the server has successfully received and processed the request and is not returning any substance.

205 Reset Content

This status response means that the server has processed the request but is not responding with content. However, even though a 204 response means a similar result, a 205 Reset Content response requires the requester reset the document view to continue.

206 Partial Content (RFC 7233)

A 206 Partial Content code tells that the server is returning only a partial answer, such as a byte serving, due to a range header requested. This range header is applied by clients to authorize resuming of intermittent downloads or split a download into various simultaneous streams.

207 Multi-Status (WebDAV; RFC 4918)

A 207 message indicates that the response that follows is an XML message. This message can include a number of discrete response codes. These responses can depend on the amount of sub-requests that were initiated by the client.

208 Already Reported (WebDAV; RFC 5842)

A 208 code indicates that those of a DAV agreement have formerly been counted and listed in an earlier reply to the request and aren't being incorporated any more.

226 IM Used (RFC 3229)

A 226 IM Used response means that the server has fulfilled a request for the resource; however, the response is a demonstration of the result of at least one or more instance-manipulations assigned to the current instance.

3xx Redirection

Statuses under 3xx are codes that indicate that the client is required to take additional steps to complete a request. Many 3xx status codes are used in URL redirection. A user agent may carry out this additional action with absolutely no user interaction. However, this can only happen if the method used in this second request is GET or HEAD. In the alternative, a user agent may also automatically redirect a request. It is important, though, that the user agent detects and intervenes in order to prevent cyclical redirects.

300 Multiple Choices

A 300-multiple choice response indicates that multiple options for the resource from which the client may choose exist. These options can include agent-driven content negotiation. One example of this could be used to prevent multiple video format options by listing the files with different filename extensions.

301 Moved Permanently

A response of 301 Moved Permanently means that this and all future requests should be directed to the selected URL.

302 Found

A 302 response indicates that a HTTP/1.0 specification (RFC 1945) requires the client to perform a temporary redirect. This response is an example of industry practices contradicting the standard. Originally this response was described as “moved temporarily.” However, browsers implemented 302 as a response, and with the functionality of a 303. As a result, HTTP/1.1 added status codes 307 and 303 to differentiate between the two. Some Web applications continue to use the 302 status code, though, as if it were 303.

303 See Other (since HTTP/1.1)

A 303 response can be found using a GET method under another URI. When this is obtained in response to a PUT/DELETE or POST, the client should assume that the server has received the data and should expect a redirect with a separate GET message.

304 Not Modified (RFC 7232)

A 304 Not Modified response signifies that the resource has not been modified since the version indicated by the request headers “If-None-Match” or “If-Modified-Since” responses were given. In this situation, no need exists to retransmit the resource since the client still has a downloaded copy.

305 Use Proxy (since HTTP/1.1)

A 305 response means that the requested resource is only available through a proxy. The proxy is the address provided in the response. Mozilla and Internet Explorer are two HTTP clients who do not handle responses with this status code, for security reasons.

306 Switch Proxy

This status response is no longer in use. It initially indicated that subsequent requests should return to the specified proxy.

307 Temporary Redirect (since HTTP/1.1)

A request receiving a 307 response should be repeated with another URI. Future requests, though, should still use the original URI. In the past, requests resulting in a 302 response were not permitted to be changed when reissuing the primary request. One example of this is a POST request that should be repeated using a different POST request.

308 Permanent Redirect (RFC 7538)

A 308 response indicates that the current request and all forthcoming requests should be repeated using another URI. Responses under 307 and 308 parallel the actions of 301 and 302 responses. However these do not allow the HTTP method to change.

4xx Client Error

The 4xx class of status codes are meant for situations where the client has erred. The server should contain an entity encompassing some type of explanation of the error condition including both temporary and permanent conditions. These error codes are applicable to any request methods, and user agents should display them to any included entity to the user.

400 Bad Request

A 400 request means that the server can or will not process the request because of a client error. This error can be a malformed request syntax, deceptive request routing, invalid request message framing, or size that is too large.

401 Unauthorized (RFC 7235)

A 401 response is used for when authentication is required and has failed or has yet to be provided. This response should include a WWW-Authenticate header field which contains a challenge that is applicable to the entreated resource, such as a digit access authentication and basic access authentication. 401 means “unauthenticated,” meaning the user does not have the needed credentials. Some sites give a 401 when an IP address is otherwise banned from the website and that particular address is denied permission to access a certain site.

402 Payment Required

A 402 response is reserved for future use. This code was originally intended to be used as a form of digital cash or micropayment. However, currently this code is not used. Google Developers API use this status, however, if a particular developer has gone over the daily limit on requests.

403 Forbidden

A 403 Forbidden response means that the request was valid, but the server is declining to react to it. This can be for several reasons, one of them being the user might be logged in but not have the required permissions to access the resource.

404 Not Found

This response means that the bidden resource cannot be found but could be available in the future. It also means that subsequent requests by the client are allowed.

405 Method Not Allowed

A 405 Method Not Allowed means that a request method used was not supported for the requested resource. For example, a GET request on a form may require a PUT request on a read-only resource or data that needs to be presented via POST.

406 Not Acceptable

A 406 response means that the bidden resource is only capable of producing content that is not acceptable set by the Accept headers attached in the application.

407 Proxy Authentication Required (RFC 7235)

A 407 proxy authentication required response means that the client should first validate itself with the proxy.

408 Request Time-out

This type of response means that the server has timed out while waiting for the request. In accordance with the HTTP specifications: "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time."[a]

409 Conflict

A 409 Conflict response means that due to a conflict in the request, it could not have be processed. This can include an edit conflict between various concurrent updates.

410 Gone

A 410 Gone response means that the resource that is being requested is no longer available nor will it be available again. A 410 Gone response should be received when the resource was intentionally removed or when the resource should be purged. The client should not request this resource in the future and search engines should eliminate the resource from their indices. However, most use cases do not require this absolute of a response and do not require search engines and clients to purge the resources, allowing a 404 Not Found response to be used instead.

411 Length Required

A 411 Length Required response indicates that the request did not state the length of content, which is needed by the requested resource.

412 Precondition Failed (RFC 7232)

This response indicates that the server does not meet one of the preconditions that is required of that request.

413 Payload Too Large (RFC 7231)

When a request is more than the server is capable of processing, a 413 Payload Too Large response will be given. This was originally called a “Request Entity Too Large” response.

414 URI Too Long (RFC 7231)

If a URI given was too long for the server to process, a 414 URI Too Long response is given. This response can often be the result of large amounts data being encoded as a query-string of a GET request. In this event, it should be converted to a POST request.

415 Unsupported Media Type

A 415 Unsupported Media Type means that the request entity has a media type which the server or resource does not support. If a client uploads an image in one format, but the server requires another format, a 415 Unsupported Media Type response may be given.

416 Range Not Satisfiable (RFC 7233)

A 416 Range Not Satisfiable response code indicates that the client has asked for a portion of the file, such as a byte serving, but the server cannot satisfy that request for that portion. Perhaps the request is for a part of the file that is beyond the end of the file. That request would result in a 416 response.

417 Expectation Failed

A 417 Expectation Failed response code will come when the server cannot meet the demands of the “Expect” request-header field.

418 I'm a teapot (RFC 2324)

The title of this code response seems a little tongue in cheek, and perhaps that could be because the code was defined in 1998 as one of the IETF April Fool’s Jokes in reference to RFC 2324 Hyper Text Coffee Pot Control Protocol. It was not expected to be employed by actual HTTP servers. The RFC states this code should be in response by teapots entreated to brew coffee. It is often used as an “Easter egg” in some sites, including Google.

421 Misdirected Request (RFC 7540)

A 421 Misdirected Request response means that the request given was directed at a server that is simply not able to produce a response.

422 Unprocessable Entity (WebDAV; RFC 4918)

A 422 Unprocessable Entity response is when a request was well-formed, but the server could not follow the request due to semantic errors within the request.

423 Locked (WebDAV; RFC 4918)

A 423 Locked response occurs when the resource being sort is locked.

424 Failed Dependency (WebDAV; RFC 4918)

This response occurs when the request being made fails due to the failure of an earlier request.

426 Upgrade Required

A 426 Upgrade Required response is a result of a client needing to switch to a different protocol before a request can be completed. This switch could be to a TLS/1.0 provided in the Upgrade header field.

428 Precondition Required (RFC 6585)

This response is the request of a request being made through the origin server that requires the request to be conditional. This response is intended to stop the “lost update” problem often given when a client GETs a resource’s state, and PUTs it to the server after changing it while, at the same time, another party has modified the state on the server, resulting in a conflict between the two.

429 Too Many Requests (RFC 6585)

When a user has sent an excessive amount of requests in a specified timeframe, they will receive a 429 “To Many Requests” response. This response is intended for use with rate-limiting schemes.

431 Request Header Fields Too Large (RFC 6585)

A server that is reluctant to process a request because all of the header fields collectively or the individual header field are too large will result in this 431 response.

451 Unavailable For Legal Reasons

When a server operator has gotten a legal request to a set of resources that include the requested resource or to deny access to a resource, a code 451 response will be given. The specific number 451 is in reference to the novel Fahrenheit 451.

5xx Server Error

The 5xx class of codes are responses to requests that servers fail to fulfill. These response status codes indicate cases where the server is sent a response, it is aware it is incapable of performing the request or has encountered an error. These response codes are applicable in any type of request method. The server should include some type of entity containing an explanation of what the error situation involves and indicate whether this error is a temporary or permanent one. User agents should also display any included entity to the user.

500 Internal Server Error

A 500 Internal Server Error response is essentially a generic error message. You see these messages when an unexpected condition is encountered and no other 500 message is applicable.

501 Not Implemented

A 501 response occurs when the server does not have the ability to fulfill the request or the server does not recognize the method through which the request is sent. This type of response does imply that it could be available in the future.

502 Bad Gateway

A 502 Bad Gateway response is given in situations where a server was acting as a proxy or gateway and received an invalid reply from the upstream server.

503 Service Unavailable

In this type of response, the server is unavailable due to it being overloaded or down for maintenance. A 503 Service Unavailable response is a temporary error response.

504 Gateway Time-out

A 504 Gateway Time-out response comes when a server was acting as a gateway or proxy and it did not receive a timely response from the upstream server, thereby “timing out” the request.

505 HTTP Version Not Supported

This response comes when a server does not support the HTTP protocol version used in a demand.

506 Variant Also Negotiates (RFC 2295)

A 506 response comes when transparent content negotiation for a specific request results in circular references.

507 Insufficient Storage (WebDAV; RFC 4918)

When a server is incapable of storing the representation that is needed to complete a request, a 507 Insufficient Storage response results.

508 Loop Detected (WebDAV; RFC 5842)

In these situations, a 508 Loop Detected response indicates that the server has detected an immeasurable loop while handling the request. This response is sent in lieu of a 208 Already Reported response.

510 Not Extended (RFC 2774)

A 510 error response occurs when further extensions to the request are needed in order for the server to fully fulfill the request.

511 Network Authentication Required (RFC 6585)

In 511 error response, the client needs to authenticate in order to gain network access. This type of error was created as a means to intercept proxies used to control access to the network. One example of this is “captive portals” that is used to require agreement to the Terms of Service before allowing full Internet access by means of a Wi-Fi hotspot connection.

Unofficial codes

Not all codes are specified by a specific RFC but are still utilized by third-party services to provide RESTful or semantic error responses. Below are the most commonly-used “unofficial codes” utilized.

103 Checkpoint

A 103 Checkpoint response is used in the resumable requests application to resume aborted POST or PUT requests.

420 Method Failure (Spring Framework)

A 420 Method Failure response comes from the Spring Framework when a process has failed.

419 I'm a Fox (Smoothwall/Foxwall)

This response is returned through versions of Foxwall or Smoothwall firewall systems in response to when a configuration test is returned.

420 Enhance Your Calm (Twitter)

Twitter Version 1 issued a 420 Enhance Your Calm error response when the client was being rate-limited. However, Versions 1.1 and later versions used the 429 Too Many Requests response code as an alternative.

450 Blocked by Windows Parental Controls (Microsoft)

The 450 Block by Windows Parental Control response is a Microsoft-specific extension. It is an error given when the Windows Parental Controls are activated and are responding by blocking access to a certain site that does not qualify through the parameters set through the controls.

498 Invalid Token (Esri)

A 498 Invalid Token response is returned by ArcGIS for Server. This code indicates an invalid or expired token.

499 Token Required (Esri)

Another error returned by ArcGIS for Server, 499 indicates that token is required and still needs to be submitted to proceed.

499 Antivirus has Forbidden a Request

A 499 error is produced when a malicious site is intercepted and the request cannot go through.

509 Bandwidth Limit is Exceeded (Apache Web Server/cPanel)

In situations where a server has gone over the bandwidth quantified by a server administrator, users will receive a 509 Bandwidth Limit Exceeded error. This response is used by shared hosting providers to keep a limit on customer bandwidth.

530 Site is frozen

A 530 Site is frozen is an error employed by Pantheon in order to point out that a website has been frozen because of inactivity.

440 Login Timeout

When a client’s session has expired, a 440 Login Timeout response will appear, instructing the user to log in again to proceed with his request.

449 Retry With

A 449 error appears when the server cannot honor a request because the user has not given all of the needed information in order to fulfill a request.

451 Redirect

A 451 Redirect error is used in Exchange ActiveSync when the server cannot access the user’s mailbox or a more efficient server is available to complete a request. The error instructs the client to re-run the HTTP AutoDiscover operation to find a more valid server to proceed.

Nginx

The nginx web server software expands the 4xx error response space in an effort to signal issues with the client’s specific request. These errors are used solely for logging purpose, and no definite response is sent with these codes.

444 No Response

A 444 No Response error indicates that the server has closed the connection with no returned information from a client request.

495 SSL Certificate Error

A 495 SSL Certificate Error is an expansion of the 400 Bad Request error response code and is used when the client has given an invalid client certificate when making a request.

496 SSL Certificate Required

A 496 SSL Certificate Required error response is an additional expansion of the 400 Bad Request response code. This response is used when a client certificate is required to complete a request but is not provided.

497 HTTP Request Sent to HTTPS Port

Again, another expansion of the 400 Bad Request error response code, a 497 HTTP Request Sent to HTTPS Port is used when a client has made an HTTP request to a port that is listening for HTTPS requests specifically.

499 Client Closed Request

A 499 Client Closed Request is used when the client has closed the request before the server could complete the task and send a response.

Cloudflare

Cloudflare’s reverse proxy service is an expansion of the 5xx error space used to specify issues with the origin server.

520 Unknown Error

A 520 Unknown Error code is used as a “catch-all response” in the event that the origin server yields something unexpected. This could include listing large headers, connection resets or invalid or empty responses.

521 Web Server Is Down

When the origin server has rejected the connection from Cloudflare, a 521 Web Server is Down error response will be given.

522 Connection Timed Out

A 522 Connection Timed Out response is issued when Cloudflare could not assign a TCP handshake with the server of origin.

523 Origin Is Unreachable

When Cloudflare cannot reach the origin server, a 523 Origin is Unreachable error response is given. For example, if the DNS files for the origin server are incorrect, a 523 error will be given.

524 A Timeout Occurred

If Cloudflare is able to justify a TCP connection to the origin server but did not obtain a timely HTTP response, users will see a 524 A Timeout Occurred error response.