HTTP Status Code Reference

Server received headers, client should send the body. Used with Expect: 100-continue.

Typical use: Automatic. Application code rarely sets this.

Server is changing protocols (e.g. HTTP→WebSocket).

Typical use: WebSocket upgrade handshake.

Request received, processing ongoing. Prevents client timeout.

Typical use: WebDAV long operations.

Send preload headers before the final response.

Typical use: Performance: Cloudflare / HTTP/2+ servers.

Standard success. Response body contains requested data.

Typical use: Default for successful GET, PUT, POST returning data.

A new resource was created. Location header gives the URL.

Typical use: POST that creates a row, sign-up, file upload.

Request received but not yet acted upon. Async processing.

Typical use: Background jobs, async endpoints returning a job ID.

Success, no response body. MUST NOT include a body.

Typical use: DELETE success, PUT/PATCH without returning data.

Server delivered only the requested Range.

Typical use: Video streaming, resumable downloads.

Resource permanently moved to a new URL.

Typical use: www→non-www, http→https, slug changes.

Temporary redirect. Historically changes POST to GET.

Typical use: Prefer 307 for protocol-preserving redirects.

Redirect using GET. Post-Redirect-Get pattern.

Typical use: After form submission, redirect to result page.

Cached version still valid. Sent with ETag/Last-Modified.

Typical use: HTTP caching, automatic.

Like 302 but preserves HTTP method.

Typical use: Modern alternative to 302.

Like 301 but preserves HTTP method.

Typical use: Permanent redirects for non-GET methods.

Malformed request: bad JSON, missing field, invalid value.

Typical use: Always include a JSON body explaining what was wrong.

Misnamed — means "unauthenticated". Missing or invalid credentials.

Typical use: Missing/invalid auth token. Pair with WWW-Authenticate.

Reserved for future use. Stripe uses it for billing rejections.

Typical use: Mostly unused outside payment APIs.

Authenticated, but not authorized for this resource.

Typical use: User logged in but accessing someone else's data.

Resource does not exist.

Typical use: Resource ID missing from your database.

HTTP method not supported. Response MUST include Allow header.

Typical use: POST to a GET-only endpoint.

Server can't produce a response matching the client's Accept header.

Typical use: Client wants XML; server only does JSON.

Server timed out waiting for the request.

Typical use: Slow clients, keep-alive idle.

Request conflicts with current resource state.

Typical use: Duplicate creation, optimistic concurrency mismatch.

Resource existed but is permanently removed.

Typical use: Deleted posts, deleted accounts (stronger than 404 for SEO).

Missing Content-Length header.

Typical use: Strict servers.

If-Match / If-Unmodified-Since precondition failed.

Typical use: Conditional PUT/DELETE.

Body exceeds server limit.

Typical use: Upload size limits.

URL too long (typical limit ~2048 chars).

Typical use: Move long params to request body.

Server doesn't support the request body's Content-Type.

Typical use: XML body sent to a JSON-only endpoint.

Range header asks for a non-existent range.

Typical use: Range-based file downloads.

RFC 2324 April Fools — the server refuses to brew coffee.

Typical use: Never seriously. Easter eggs only.

Request well-formed but semantically wrong. Validation failure.

Typical use: GitHub / Stripe-style validation errors.

Server unwilling to process possibly-replayed request.

Typical use: TLS 1.3 0-RTT data.

Client must upgrade to a different protocol.

Typical use: Server refuses HTTP/1, requires HTTP/2.

Server requires the request to be conditional.

Typical use: APIs preventing lost-update on PUT.

Rate limit exceeded.

Typical use: Rate limiting. Always include Retry-After.

Headers exceed server limit. Often oversized cookies.

Typical use: Servers with strict header limits.

Resource blocked by legal demand (Fahrenheit 451 reference).

Typical use: Court orders, DMCA, GDPR right-to-be-forgotten.

Generic server error. Unhandled exception.

Typical use: Should be rare in well-instrumented services.

Functionality not yet implemented.

Typical use: Stubbed endpoints.

Proxy got bad response from upstream.

Typical use: Upstream service down or unhealthy.

Server temporarily down. Include Retry-After.

Typical use: Maintenance, circuit breakers, intentional shedding.

Proxy timed out waiting for upstream response.

Typical use: Slow upstream, ALB/nginx timeouts.

Server doesn't support the HTTP version.

Typical use: Probably an HTTP/0.9 client. Rare.

Server out of disk space.

Typical use: WebDAV.

Client must authenticate to the network.

Typical use: WiFi captive portals.