# HTTP Status Codes — Complete Reference for RFC 9110

> Reference of all HTTP status codes (1xx–5xx) per RFC 9110 — meaning, usage and typical cases for API design, SEO and debugging.

Source: https://www.jpkc.com/db/en/cheatsheets/networking/http-status/

<!-- PROSE:intro -->
HTTP status codes are the language between client and server: a three-digit number tells you at a glance whether your request succeeded, was redirected, or failed. The five classes span 1xx (Informational) through 2xx (Success), 3xx (Redirection), 4xx (Client Errors) and 5xx (Server Errors). This reference covers all standardised codes from RFC 9110 – plus platform-specific extensions from Nginx, IIS and Cloudflare – giving you a quick lookup for API design, SEO monitoring, and debugging.
<!-- PROSE:intro:end -->

## 1xx — Informational

`100 Continue` — The server has received the request headers. The client should proceed to send the body.

```bash
Client sends Expect: 100-continue header, server responds 100 before the body is sent.
```

`101 Switching Protocols` — The server is switching protocols as requested by the client's Upgrade header.

```bash
HTTP → WebSocket upgrade: client sends Upgrade: websocket, server responds 101.
```

`102 Processing (WebDAV)` — The server has received the request and is processing it, but no response is available yet.

```bash
Long-running WebDAV operation to prevent the client from timing out.
```

`103 Early Hints` — Send preliminary response headers before the final response. Used to preload resources.

```bash
Server sends Link: </style.css>; rel=preload so the browser can start loading assets early.
```

## 2xx — Success

`200 OK` — The request succeeded. The standard response for successful HTTP requests.

```bash
GET /api/users → 200 with JSON body containing user list.
```

`201 Created` — The request succeeded and a new resource was created. Should include a Location header.

```bash
POST /api/users → 201 with Location: /api/users/42 header.
```

`202 Accepted` — The request has been accepted for processing, but processing is not yet complete.

```bash
POST /api/reports/generate → 202 (report will be generated asynchronously).
```

`203 Non-Authoritative Information` — The response is from a transforming proxy. The original server returned 200 but the proxy modified it.

```bash
A proxy modifies response headers or body before forwarding to the client.
```

`204 No Content` — The request succeeded but there is no content to return. The client should not navigate away.

```bash
DELETE /api/users/42 → 204 (deleted successfully, no body needed).
```

`205 Reset Content` — The request succeeded. The client should reset the document view (e.g. clear a form).

```bash
POST /api/form-submit → 205 (tells the browser to reset the form fields).
```

`206 Partial Content` — The server is returning only part of the resource due to a Range header from the client.

```bash
GET /video.mp4 with Range: bytes=0-1023 → 206 with the first 1024 bytes.
```

`207 Multi-Status (WebDAV)` — The response body contains status information for multiple sub-requests (XML body).

```bash
WebDAV PROPFIND on a collection returns 207 with per-resource status.
```

`208 Already Reported (WebDAV)` — Members of a DAV binding have already been listed in a previous part of the response.

```bash
Avoids redundant enumeration of internal members in a WebDAV binding.
```

`226 IM Used` — The server fulfilled a GET request using instance manipulations applied to the current instance.

```bash
Delta encoding: server returns the diff between the cached and current version.
```

## 3xx — Redirection

`300 Multiple Choices` — The request has multiple possible responses. The client should choose one.

```bash
A resource available in multiple formats (HTML, JSON, XML) with no preferred one.
```

`301 Moved Permanently` — The resource has permanently moved to a new URL. Search engines update their links.

```bash
GET /old-page → 301 Location: /new-page (browsers and crawlers follow permanently).
```

`302 Found` — The resource is temporarily at a different URL. The client should continue using the original URL.

```bash
GET /dashboard → 302 Location: /login (temporarily redirect to login page).
```

`303 See Other` — The response to the request can be found at another URL using GET. Often used after POST.

```bash
POST /api/orders → 303 Location: /api/orders/42 (redirect to the created resource via GET).
```

`304 Not Modified` — The resource has not changed since the version specified by If-Modified-Since or If-None-Match.

```bash
GET /style.css with If-None-Match: "abc" → 304 (use your cached version).
```

`305 Use Proxy (Deprecated)` — The requested resource must be accessed through the proxy specified in the Location header.

```bash
Deprecated due to security concerns. Not used in modern HTTP.
```

`307 Temporary Redirect` — Same as 302 but guarantees the HTTP method will not change (POST stays POST).

```bash
POST /api/submit → 307 Location: /api/v2/submit (POST is preserved).
```

`308 Permanent Redirect` — Same as 301 but guarantees the HTTP method will not change (POST stays POST).

```bash
POST /api/old-endpoint → 308 Location: /api/new-endpoint (permanent, method preserved).
```

## 4xx — Client Errors (General)

`400 Bad Request` — The server cannot process the request due to malformed syntax or invalid parameters.

```bash
POST /api/users with invalid JSON body → 400 {"error": "Invalid JSON"}.
```

`401 Unauthorized` — Authentication is required and has either failed or not been provided.

```bash
GET /api/profile without an Authorization header → 401.
```

`402 Payment Required` — Reserved for future use. Some APIs use it to indicate a payment or subscription is needed.

```bash
API rate limit exceeded on a paid plan → 402 (non-standard usage).
```

`403 Forbidden` — The server understood the request but refuses to authorize it. Authentication won't help.

```bash
GET /admin/settings as a non-admin user → 403 (authenticated but not permitted).
```

`404 Not Found` — The requested resource could not be found on the server.

```bash
GET /api/users/99999 → 404 (user does not exist).
```

`405 Method Not Allowed` — The HTTP method is not supported for the requested resource. Must include an Allow header.

```bash
DELETE /api/users → 405 Allow: GET, POST (delete not supported on collection).
```

`406 Not Acceptable` — The server cannot produce a response matching the Accept headers sent by the client.

```bash
GET /api/data with Accept: application/xml but server only supports JSON → 406.
```

`407 Proxy Authentication Required` — The client must authenticate with the proxy before the request can proceed.

```bash
Request through a corporate proxy that requires credentials → 407.
```

`408 Request Timeout` — The server timed out waiting for the client to finish sending the request.

```bash
Client opens a connection but sends data too slowly → 408.
```

`409 Conflict` — The request conflicts with the current state of the resource.

```bash
PUT /api/users/42 with a stale ETag → 409 (concurrent modification conflict).
```

## 4xx — Client Errors (Content & Rate Limits)

`410 Gone` — The resource existed before but has been permanently removed. Unlike 404, this is intentional and permanent.

```bash
GET /api/v1/users → 410 (API v1 has been retired, use v2).
```

`411 Length Required` — The server requires a Content-Length header that was not provided.

```bash
POST /api/upload without Content-Length → 411.
```

`412 Precondition Failed` — A precondition in the request headers (If-Match, If-Unmodified-Since) evaluated to false.

```bash
PUT /api/doc/42 with If-Match: "old-etag" but resource has changed → 412.
```

`413 Content Too Large` — The request body exceeds the server's size limit.

```bash
POST /api/upload with a 500MB file but server limit is 100MB → 413.
```

`414 URI Too Long` — The request URI is longer than the server is willing to interpret.

```bash
GET request with extremely long query string exceeding server limits → 414.
```

`415 Unsupported Media Type` — The request body's media type is not supported by the server.

```bash
POST /api/users with Content-Type: text/plain but server requires application/json → 415.
```

`416 Range Not Satisfiable` — The Range header value is outside the bounds of the resource.

```bash
GET /file.pdf with Range: bytes=9999999-  but file is only 1MB → 416.
```

`417 Expectation Failed` — The server cannot meet the requirements of the Expect header.

```bash
Client sends Expect: 100-continue but server doesn't support it → 417.
```

`418 I'm a Teapot (RFC 2324)` — April Fools' joke from the Hyper Text Coffee Pot Control Protocol. Not expected in production.

```bash
BREW /coffee on a teapot → 418 (the server refuses because it's a teapot).
```

`422 Unprocessable Content` — The request is syntactically correct but semantically invalid. Common for validation errors.

```bash
POST /api/users with {"email": "not-an-email"} → 422 with validation errors.
```

`429 Too Many Requests` — The client has sent too many requests in a given time period (rate limiting).

```bash
API returns 429 with Retry-After: 60 header after exceeding 100 requests/minute.
```

## 4xx — Client Errors (Security & Protocol)

`421 Misdirected Request` — The request was directed at a server that cannot produce a response (e.g. wrong TLS certificate).

```bash
HTTP/2 connection reuse to a server that doesn't handle the requested host → 421.
```

`423 Locked (WebDAV)` — The resource is locked and cannot be modified.

```bash
PUT /document.docx → 423 (file is locked by another user in WebDAV).
```

`424 Failed Dependency (WebDAV)` — The request failed because it depended on another request that also failed.

```bash
Batch WebDAV operation where a prerequisite step failed → 424.
```

`425 Too Early` — The server refuses to process a request that might be replayed (TLS early data risk).

```bash
Request sent in TLS 1.3 0-RTT early data that the server won't risk replaying → 425.
```

`426 Upgrade Required` — The server requires the client to switch to a different protocol.

```bash
Server requires TLS: responds 426 with Upgrade: TLS/1.3 header.
```

`428 Precondition Required` — The server requires the request to be conditional (e.g. If-Match header) to prevent lost updates.

```bash
PUT /api/doc without If-Match header → 428 (server enforces optimistic locking).
```

`431 Request Header Fields Too Large` — The request headers are too large for the server to process.

```bash
Request with oversized cookies or too many headers → 431.
```

`451 Unavailable For Legal Reasons` — The resource is unavailable due to legal demands (censorship, court order, GDPR).

```bash
GET /blocked-content → 451 (content restricted by government order).
```

## 5xx — Server Errors

`500 Internal Server Error` — A generic server-side error. The server encountered an unexpected condition.

```bash
Unhandled exception in application code → 500.
```

`501 Not Implemented` — The server does not support the functionality required to fulfill the request.

```bash
PATCH /api/resource but the server has no PATCH handler → 501.
```

`502 Bad Gateway` — The server acting as a gateway received an invalid response from the upstream server.

```bash
Nginx reverse proxy cannot reach the PHP-FPM backend → 502.
```

`503 Service Unavailable` — The server is temporarily unable to handle the request (overloaded or in maintenance).

```bash
Server in maintenance mode → 503 with Retry-After: 3600 header.
```

`504 Gateway Timeout` — The server acting as a gateway did not receive a timely response from the upstream server.

```bash
Nginx proxy_read_timeout exceeded waiting for a slow backend → 504.
```

`505 HTTP Version Not Supported` — The server does not support the HTTP version used in the request.

```bash
Client sends HTTP/3 request to a server that only supports HTTP/1.1 → 505.
```

`506 Variant Also Negotiates` — The server has an internal configuration error in transparent content negotiation.

```bash
Circular reference in content negotiation configuration → 506.
```

`507 Insufficient Storage (WebDAV)` — The server cannot store the representation needed to complete the request.

```bash
WebDAV PUT when the server's disk is full → 507.
```

`508 Loop Detected (WebDAV)` — The server detected an infinite loop while processing the request.

```bash
WebDAV PROPFIND encounters a circular symbolic link → 508.
```

`510 Not Extended` — The server requires further extensions to the request to fulfill it.

```bash
Request lacks a required extension declaration → 510.
```

`511 Network Authentication Required` — The client needs to authenticate to gain network access (captive portal).

```bash
Public Wi-Fi hotspot intercepts requests and returns 511 with a login page.
```

## Unofficial & Platform-Specific Codes

`440 Login Time-out (IIS)` — Microsoft IIS: The client's session has expired and must log in again.

```bash
IIS returns 440 when an authenticated session times out.
```

`444 No Response (Nginx)` — Nginx closes the connection without sending a response. Used to block malicious requests.

```bash
Nginx config: return 444; to silently drop requests from bad bots.
```

`494 Request Header Too Large (Nginx)` — Nginx: The request header or URI is too large to process.

```bash
Client sends oversized cookies exceeding large_client_header_buffers → 494.
```

`495 SSL Certificate Error (Nginx)` — Nginx: The client's SSL certificate validation failed.

```bash
Client presents an expired or untrusted client certificate → 495.
```

`496 SSL Certificate Required (Nginx)` — Nginx: A client certificate is required but was not provided.

```bash
Request to an endpoint requiring mTLS without a client certificate → 496.
```

`497 HTTP Request Sent to HTTPS Port (Nginx)` — Nginx: A plain HTTP request was sent to an HTTPS-only port.

```bash
Client sends http:// request to port 443 → 497.
```

`499 Client Closed Request (Nginx)` — Nginx: The client closed the connection before the server could send a response.

```bash
User navigates away or client times out before server finishes processing → 499.
```

`520 Web Server Returned an Unknown Error (Cloudflare)` — Cloudflare: The origin server returned an unexpected or empty response.

```bash
Origin sends an invalid HTTP response that Cloudflare cannot interpret → 520.
```

`521 Web Server Is Down (Cloudflare)` — Cloudflare: The origin server refused the connection.

```bash
Origin web server is not running or blocking Cloudflare IPs → 521.
```

`522 Connection Timed Out (Cloudflare)` — Cloudflare: TCP connection to the origin server timed out.

```bash
Origin server is overloaded or a firewall is dropping packets → 522.
```

`523 Origin Is Unreachable (Cloudflare)` — Cloudflare: DNS resolution succeeded but the origin is unreachable.

```bash
DNS points to a server that is down or has no route → 523.
```

`524 A Timeout Occurred (Cloudflare)` — Cloudflare: TCP connection established but the origin did not respond in time.

```bash
Origin accepts connection but a slow backend exceeds Cloudflare's 100s timeout → 524.
```

`525 SSL Handshake Failed (Cloudflare)` — Cloudflare: SSL/TLS handshake with the origin server failed.

```bash
Origin has an expired certificate or SSL misconfiguration → 525.
```

`526 Invalid SSL Certificate (Cloudflare)` — Cloudflare: The origin's SSL certificate cannot be validated.

```bash
Origin uses a self-signed certificate with Full (Strict) SSL mode → 526.
```

`530 (Cloudflare)` — Cloudflare: Returned alongside a 1xxx error. Usually indicates a Cloudflare-specific issue.

```bash
Cloudflare returns 530 wrapping an internal 1020 (Access Denied) error.
```

<!-- PROSE:outro -->
## Conclusion

HTTP status codes are not just a technical detail – they are the backbone of every web interaction. Use this reference to pick the right code for your API, trace errors during debugging, and understand why search engines treat 301 and 404 differently from 200 and 410.

## Further Reading

- [HTTP response status codes – MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status) – all codes with descriptions and compatibility tables
- [List of HTTP status codes – Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes) – overview and history
- [RFC 9110 – HTTP Semantics](https://httpwg.org/specs/rfc9110.html) – the normative specification
<!-- PROSE:outro:end -->

## Related Commands

- [curl](https://www.jpkc.com/db/en/cheatsheets/networking/curl/) – send HTTP requests and inspect status codes from the shell
- [httpie](https://www.jpkc.com/db/en/cheatsheets/networking/httpie/) – friendly HTTP client for API testing
- [ab](https://www.jpkc.com/db/en/cheatsheets/networking/ab/) – Apache Bench: load testing with status code reporting