Guide · Developers
HTTP Status Codes Explained — Complete Reference 2026
HTTP status codes are three-digit numbers a server or proxy returns so browsers and apps know whether a request succeeded, redirected, failed on the client side, or broke on the server. They fall into five groups: 1xx informational, 2xx success, 3xx redirects, 4xx client errors, and 5xx server errors—you meet them loading pages, images, and REST responses. Browse every standard code in ConvertPal’s free HTTP Status Codes tool.
1xx — Informational Codes
Rare in everyday browsing, 1xx responses keep a connection alive while the server negotiates the next step (body upload, protocol switch, or early hints).
| Code | Name | What it means |
|---|---|---|
| 100 | Continue | The server got your headers and is ready for the request body. |
| 101 | Switching Protocols | The connection will upgrade (for example to WebSocket). |
| 102 | Processing | Request accepted; server still working (common in WebDAV). |
| 103 | Early Hints | Early headers (like preload links) before the final response. |
2xx — Success Codes
2xx means the server understood and accepted the request for the intended operation—often with a response body, unless 204 applies.
| Code | Name | What it means |
|---|---|---|
| 200 | OK | Request succeeded; the response carries the normal result. |
| 201 | Created | A new resource was created—often with a Location header. |
| 204 | No Content | Success, but no body is returned (common after deletes). |
| 206 | Partial Content | Part of a file was returned because of a Range request. |
3xx — Redirection Codes
3xx tells the client to look elsewhere—temporarily or permanently—while preserving (or not) the original HTTP method.
| Code | Name | What it means |
|---|---|---|
| 301 | Moved Permanently | Resource has a new permanent URL—update bookmarks and SEO. |
| 302 | Found | Temporary redirect; historically some clients treated it like 303. |
| 304 | Not Modified | Cached copy is still valid—no body when validators match. |
| 307 | Temporary Redirect | Temporary move; the HTTP method must stay the same on retry. |
| 308 | Permanent Redirect | Permanent move like 301, but method/body must not change. |
301 vs 302 vs 307 (common confusion)
301 and 308 say “permanent new URL,” but 308 guarantees browsers and APIs keep POST as POST. 302 is historically messy: many stacks turned POST into GET on follow-up—so after a form POST people often prefer 303 See Other (not listed above) or 307, which explicitly preserves the method for a temporary move.
4xx — Client Error Codes
4xx means the request was understood but cannot be fulfilled because of something the client (or caller) should fix—credentials, URL, payload, or rate limits.
| Code | Name | Plain English | Common cause |
|---|---|---|---|
| 400 | Bad Request | The server could not parse or accept the request as sent. | Malformed JSON, bad query syntax, or invalid Content-Type. |
| 401 | Unauthorized | Authentication is missing or failed. | No token, expired session, or wrong API key. |
| 403 | Forbidden | You are known, but this action is not allowed. | Role policy, IP allowlist, or blocked operation. |
| 404 | Not Found | No current resource exists at that URL or id. | Typo, removed page, or wrong environment base URL. |
| 405 | Method Not Allowed | HTTP verb not supported on this path. | DELETE on a read-only route or POST to a static file. |
| 408 | Request Timeout | The server gave up waiting for a full request. | Slow client, huge upload without keepalive, or proxy timeout. |
| 409 | Conflict | Request conflicts with current resource state. | Duplicate key, version mismatch, or illegal transition. |
| 410 | Gone | Resource existed but was permanently removed. | Retired API version or content intentionally delisted. |
| 422 | Unprocessable Entity | Syntax is fine, but rules or validation failed. | Schema errors, business-rule failures, or bad form fields. |
| 429 | Too Many Requests | Rate limit or quota exceeded for this client. | Burst traffic, missing Retry-After, or scraping without backoff. |
5xx — Server Error Codes
5xx means the server (or an upstream it depends on) failed despite a syntactically valid request—your client might retry with backoff, but the fix usually lives on the server side.
| Code | Name | Plain English | Common cause |
|---|---|---|---|
| 500 | Internal Server Error | Unexpected failure while handling a valid request. | Unhandled exception, bad deploy, or dependency crash. |
| 502 | Bad Gateway | A proxy or gateway got an invalid response upstream. | Upstream down, TLS mismatch, or bad socket to app server. |
| 503 | Service Unavailable | Server temporarily cannot serve traffic. | Overload, maintenance window, or dependency outage. |
| 504 | Gateway Timeout | Gateway did not get a timely response from upstream. | Slow database query, cold start, or integration timeout. |
The Most Common HTTP Errors and What to Do
404 Not Found
Cause: wrong path, deleted resource, or mismatched API version. Developers: verify routes, slugs, and deployment URLs; return helpful JSON errors in APIs. Users: check spelling, try the site home page, or clear an outdated bookmark.
403 Forbidden
Cause: you are signed in but lack permission, or a WAF blocks the request. Developers: audit roles, CORS, and IP rules; distinguish from 401 when credentials are actually valid. Users: log out and back in, try another account, or contact the site owner if you expect access.
500 Internal Server Error
Cause: unhandled exception, bad configuration, or broken dependency. Developers: read server logs, reproduce with a correlation id, roll back recent changes. Users: retry once, then wait—chronic 500s need vendor support, not repeated frantic refreshes.
503 Service Unavailable
Cause: maintenance, overload, or upstream health checks failing open. Developers: scale capacity, tune autoscaling, return Retry-After when possible. Users: wait a few minutes or try off-peak hours; the service is usually aware already.
429 Too Many Requests
Cause: client exceeded a rate limit or fair-use policy. Developers: honor Retry-After, exponential backoff, and idempotency keys on writes. Users: slow down automated refreshes or try again later—this is protection, not a personal slight.
Look Up Any HTTP Status Code
ConvertPal’s interactive HTTP Status Codes tool lists standard codes with search, category headers, expandable “when it happens” notes, and a JSON export—handy when you are documenting APIs or training a team. It runs locally in the browser with no sign-in.
Frequently Asked Questions
- What is a 404 error?
- A 404 means the server cannot find a representation for the URL or id you requested—nothing matches that address right now. It is not the same as “server broken”; it is usually a wrong link, removed page, or API route typo. Developers should return a clear JSON error for APIs; users should verify the path or search the site. If you own the site, fix inbound links or add redirects where content moved permanently.
- What is the difference between 401 and 403?
- 401 Unauthorized means “we do not know who you are yet” or your credentials failed—add a token, refresh a session, or log in again. 403 Forbidden means “we know who you are, but you may not do this”—think missing role, blocked IP, or legal restriction. Mixing them confuses clients: use 401 when identity is missing or invalid, and 403 when identity is valid but policy denies the action.
- What does HTTP 429 mean?
- 429 means you sent too many requests in a window the server considers fair—rate limiting, abuse protection, or quota exhaustion. It is not a bug in your single click; it is cumulative traffic or a tight free tier. Slow down, read any
Retry-Afterheader, and spread work over time. Programmatic clients should backoff exponentially and avoid hammering the same endpoint in parallel without need. - What is the difference between a 301 and 302 redirect?
- 301 Moved Permanently tells clients and search engines the old URL is retired—link equity and bookmarks should move to the new canonical location. 302 Found signals a temporary move; caches treat it more cautiously, but historically some clients rewrote POST to GET on follow-up. For temporary moves where POST must survive, prefer 307 (or 308 for permanent method-safe moves).
- What causes a 500 Internal Server Error?
- A 500 means the server hit an unexpected condition while processing an otherwise valid request—think uncaught exception, misconfigured environment variable, or database outage. It is intentionally vague to the public because details belong in logs, not in attacker-friendly responses. Developers should capture stack traces server-side, add monitoring, and ship a fix or rollback. Users can retry briefly, but persistent 500s require operator attention, not endless refreshes.