HTTP Status Codes — Complete Reference for RFC 9110

HTTP status codes are the language between client and server: a three-digit number tells you at a glance whether your request succeeded, was redirected, or failed. The five classes span 1xx (Informational) through 2xx (Success), 3xx (Redirection), 4xx (Client Errors) and 5xx (Server Errors). This reference covers all standardised codes from RFC 9110 – plus platform-specific extensions from Nginx, IIS and Cloudflare – giving you a quick lookup for API design, SEO monitoring, and debugging.

1xx — Informational

100 Continue — The server has received the request headers. The client should proceed to send the body.

Client sends Expect: 100-continue header, server responds 100 before the body is sent.

101 Switching Protocols — The server is switching protocols as requested by the client's Upgrade header.

HTTP → WebSocket upgrade: client sends Upgrade: websocket, server responds 101.

102 Processing (WebDAV) — The server has received the request and is processing it, but no response is available yet.

Long-running WebDAV operation to prevent the client from timing out.

103 Early Hints — Send preliminary response headers before the final response. Used to preload resources.

Server sends Link: </style.css>; rel=preload so the browser can start loading assets early.

2xx — Success

200 OK — The request succeeded. The standard response for successful HTTP requests.

GET /api/users → 200 with JSON body containing user list.

201 Created — The request succeeded and a new resource was created. Should include a Location header.

POST /api/users → 201 with Location: /api/users/42 header.

202 Accepted — The request has been accepted for processing, but processing is not yet complete.

POST /api/reports/generate → 202 (report will be generated asynchronously).

203 Non-Authoritative Information — The response is from a transforming proxy. The original server returned 200 but the proxy modified it.

A proxy modifies response headers or body before forwarding to the client.

204 No Content — The request succeeded but there is no content to return. The client should not navigate away.

DELETE /api/users/42 → 204 (deleted successfully, no body needed).

205 Reset Content — The request succeeded. The client should reset the document view (e.g. clear a form).

POST /api/form-submit → 205 (tells the browser to reset the form fields).

206 Partial Content — The server is returning only part of the resource due to a Range header from the client.

GET /video.mp4 with Range: bytes=0-1023 → 206 with the first 1024 bytes.

207 Multi-Status (WebDAV) — The response body contains status information for multiple sub-requests (XML body).

WebDAV PROPFIND on a collection returns 207 with per-resource status.

208 Already Reported (WebDAV) — Members of a DAV binding have already been listed in a previous part of the response.

Avoids redundant enumeration of internal members in a WebDAV binding.

226 IM Used — The server fulfilled a GET request using instance manipulations applied to the current instance.

Delta encoding: server returns the diff between the cached and current version.

3xx — Redirection

300 Multiple Choices — The request has multiple possible responses. The client should choose one.

A resource available in multiple formats (HTML, JSON, XML) with no preferred one.

301 Moved Permanently — The resource has permanently moved to a new URL. Search engines update their links.

GET /old-page → 301 Location: /new-page (browsers and crawlers follow permanently).

302 Found — The resource is temporarily at a different URL. The client should continue using the original URL.

GET /dashboard → 302 Location: /login (temporarily redirect to login page).

303 See Other — The response to the request can be found at another URL using GET. Often used after POST.

POST /api/orders → 303 Location: /api/orders/42 (redirect to the created resource via GET).

304 Not Modified — The resource has not changed since the version specified by If-Modified-Since or If-None-Match.

GET /style.css with If-None-Match: "abc" → 304 (use your cached version).

305 Use Proxy (Deprecated) — The requested resource must be accessed through the proxy specified in the Location header.

Deprecated due to security concerns. Not used in modern HTTP.

307 Temporary Redirect — Same as 302 but guarantees the HTTP method will not change (POST stays POST).

POST /api/submit → 307 Location: /api/v2/submit (POST is preserved).

308 Permanent Redirect — Same as 301 but guarantees the HTTP method will not change (POST stays POST).

POST /api/old-endpoint → 308 Location: /api/new-endpoint (permanent, method preserved).

4xx — Client Errors (General)

400 Bad Request — The server cannot process the request due to malformed syntax or invalid parameters.

POST /api/users with invalid JSON body → 400 {"error": "Invalid JSON"}.

401 Unauthorized — Authentication is required and has either failed or not been provided.

GET /api/profile without an Authorization header → 401.

402 Payment Required — Reserved for future use. Some APIs use it to indicate a payment or subscription is needed.

API rate limit exceeded on a paid plan → 402 (non-standard usage).

403 Forbidden — The server understood the request but refuses to authorize it. Authentication won't help.

GET /admin/settings as a non-admin user → 403 (authenticated but not permitted).

404 Not Found — The requested resource could not be found on the server.

GET /api/users/99999 → 404 (user does not exist).

405 Method Not Allowed — The HTTP method is not supported for the requested resource. Must include an Allow header.

DELETE /api/users → 405 Allow: GET, POST (delete not supported on collection).

406 Not Acceptable — The server cannot produce a response matching the Accept headers sent by the client.

GET /api/data with Accept: application/xml but server only supports JSON → 406.

407 Proxy Authentication Required — The client must authenticate with the proxy before the request can proceed.

Request through a corporate proxy that requires credentials → 407.

408 Request Timeout — The server timed out waiting for the client to finish sending the request.

Client opens a connection but sends data too slowly → 408.

409 Conflict — The request conflicts with the current state of the resource.

PUT /api/users/42 with a stale ETag → 409 (concurrent modification conflict).

4xx — Client Errors (Content & Rate Limits)

410 Gone — The resource existed before but has been permanently removed. Unlike 404, this is intentional and permanent.

GET /api/v1/users → 410 (API v1 has been retired, use v2).

411 Length Required — The server requires a Content-Length header that was not provided.

POST /api/upload without Content-Length → 411.

412 Precondition Failed — A precondition in the request headers (If-Match, If-Unmodified-Since) evaluated to false.

PUT /api/doc/42 with If-Match: "old-etag" but resource has changed → 412.

413 Content Too Large — The request body exceeds the server's size limit.

POST /api/upload with a 500MB file but server limit is 100MB → 413.

414 URI Too Long — The request URI is longer than the server is willing to interpret.

GET request with extremely long query string exceeding server limits → 414.

415 Unsupported Media Type — The request body's media type is not supported by the server.

POST /api/users with Content-Type: text/plain but server requires application/json → 415.

416 Range Not Satisfiable — The Range header value is outside the bounds of the resource.

GET /file.pdf with Range: bytes=9999999-  but file is only 1MB → 416.

417 Expectation Failed — The server cannot meet the requirements of the Expect header.

Client sends Expect: 100-continue but server doesn't support it → 417.

418 I'm a Teapot (RFC 2324) — April Fools' joke from the Hyper Text Coffee Pot Control Protocol. Not expected in production.

BREW /coffee on a teapot → 418 (the server refuses because it's a teapot).

422 Unprocessable Content — The request is syntactically correct but semantically invalid. Common for validation errors.

POST /api/users with {"email": "not-an-email"} → 422 with validation errors.

429 Too Many Requests — The client has sent too many requests in a given time period (rate limiting).

API returns 429 with Retry-After: 60 header after exceeding 100 requests/minute.

4xx — Client Errors (Security & Protocol)

421 Misdirected Request — The request was directed at a server that cannot produce a response (e.g. wrong TLS certificate).

HTTP/2 connection reuse to a server that doesn't handle the requested host → 421.

423 Locked (WebDAV) — The resource is locked and cannot be modified.

PUT /document.docx → 423 (file is locked by another user in WebDAV).

424 Failed Dependency (WebDAV) — The request failed because it depended on another request that also failed.

Batch WebDAV operation where a prerequisite step failed → 424.

425 Too Early — The server refuses to process a request that might be replayed (TLS early data risk).

Request sent in TLS 1.3 0-RTT early data that the server won't risk replaying → 425.

426 Upgrade Required — The server requires the client to switch to a different protocol.

Server requires TLS: responds 426 with Upgrade: TLS/1.3 header.

428 Precondition Required — The server requires the request to be conditional (e.g. If-Match header) to prevent lost updates.

PUT /api/doc without If-Match header → 428 (server enforces optimistic locking).

431 Request Header Fields Too Large — The request headers are too large for the server to process.

Request with oversized cookies or too many headers → 431.

451 Unavailable For Legal Reasons — The resource is unavailable due to legal demands (censorship, court order, GDPR).

GET /blocked-content → 451 (content restricted by government order).

5xx — Server Errors

500 Internal Server Error — A generic server-side error. The server encountered an unexpected condition.

Unhandled exception in application code → 500.

501 Not Implemented — The server does not support the functionality required to fulfill the request.

PATCH /api/resource but the server has no PATCH handler → 501.

502 Bad Gateway — The server acting as a gateway received an invalid response from the upstream server.

Nginx reverse proxy cannot reach the PHP-FPM backend → 502.

503 Service Unavailable — The server is temporarily unable to handle the request (overloaded or in maintenance).

Server in maintenance mode → 503 with Retry-After: 3600 header.

504 Gateway Timeout — The server acting as a gateway did not receive a timely response from the upstream server.

Nginx proxy_read_timeout exceeded waiting for a slow backend → 504.

505 HTTP Version Not Supported — The server does not support the HTTP version used in the request.

Client sends HTTP/3 request to a server that only supports HTTP/1.1 → 505.

506 Variant Also Negotiates — The server has an internal configuration error in transparent content negotiation.

Circular reference in content negotiation configuration → 506.

507 Insufficient Storage (WebDAV) — The server cannot store the representation needed to complete the request.

WebDAV PUT when the server's disk is full → 507.

508 Loop Detected (WebDAV) — The server detected an infinite loop while processing the request.

WebDAV PROPFIND encounters a circular symbolic link → 508.

510 Not Extended — The server requires further extensions to the request to fulfill it.

Request lacks a required extension declaration → 510.

511 Network Authentication Required — The client needs to authenticate to gain network access (captive portal).

Public Wi-Fi hotspot intercepts requests and returns 511 with a login page.

Unofficial & Platform-Specific Codes

440 Login Time-out (IIS) — Microsoft IIS: The client's session has expired and must log in again.

IIS returns 440 when an authenticated session times out.

444 No Response (Nginx) — Nginx closes the connection without sending a response. Used to block malicious requests.

Nginx config: return 444; to silently drop requests from bad bots.

494 Request Header Too Large (Nginx) — Nginx: The request header or URI is too large to process.

Client sends oversized cookies exceeding large_client_header_buffers → 494.

495 SSL Certificate Error (Nginx) — Nginx: The client's SSL certificate validation failed.

Client presents an expired or untrusted client certificate → 495.

496 SSL Certificate Required (Nginx) — Nginx: A client certificate is required but was not provided.

Request to an endpoint requiring mTLS without a client certificate → 496.

497 HTTP Request Sent to HTTPS Port (Nginx) — Nginx: A plain HTTP request was sent to an HTTPS-only port.

Client sends http:// request to port 443 → 497.

499 Client Closed Request (Nginx) — Nginx: The client closed the connection before the server could send a response.

User navigates away or client times out before server finishes processing → 499.

520 Web Server Returned an Unknown Error (Cloudflare) — Cloudflare: The origin server returned an unexpected or empty response.

Origin sends an invalid HTTP response that Cloudflare cannot interpret → 520.

521 Web Server Is Down (Cloudflare) — Cloudflare: The origin server refused the connection.

Origin web server is not running or blocking Cloudflare IPs → 521.

522 Connection Timed Out (Cloudflare) — Cloudflare: TCP connection to the origin server timed out.

Origin server is overloaded or a firewall is dropping packets → 522.

523 Origin Is Unreachable (Cloudflare) — Cloudflare: DNS resolution succeeded but the origin is unreachable.

DNS points to a server that is down or has no route → 523.

524 A Timeout Occurred (Cloudflare) — Cloudflare: TCP connection established but the origin did not respond in time.

Origin accepts connection but a slow backend exceeds Cloudflare's 100s timeout → 524.

525 SSL Handshake Failed (Cloudflare) — Cloudflare: SSL/TLS handshake with the origin server failed.

Origin has an expired certificate or SSL misconfiguration → 525.

526 Invalid SSL Certificate (Cloudflare) — Cloudflare: The origin's SSL certificate cannot be validated.

Origin uses a self-signed certificate with Full (Strict) SSL mode → 526.

530 (Cloudflare) — Cloudflare: Returned alongside a 1xxx error. Usually indicates a Cloudflare-specific issue.

Cloudflare returns 530 wrapping an internal 1020 (Access Denied) error.

Conclusion

HTTP status codes are not just a technical detail – they are the backbone of every web interaction. Use this reference to pick the right code for your API, trace errors during debugging, and understand why search engines treat 301 and 404 differently from 200 and 410.