HTTP status codes

Server has received the request headers and the client should proceed sending the body. Rarely emitted by modern stacks.

Server agrees to switch protocol per the Upgrade header. WebSockets and HTTP/2 upgrade flow use this.

Server is sending preload hints before the final response. Used to start asset fetching during slow database queries.

Standard success. The request worked and the response body has the result.

A new resource was created. Conventionally returned with a Location header pointing to the new resource.

Request accepted but not yet processed. Used for async work — return the job ID in the body.

Success, no body to return. Common for DELETE.

Range request fulfilled. Used by video / large-file streaming.

Resource has a new permanent URL in the Location header. Browsers and crawlers update bookmarks / indexes.

Temporary redirect. Originally meant to preserve the request method but historically buggy — prefer 307 for clarity.

After a POST, redirect the client to GET the result. Avoids re-submitting the form on refresh.

The cached version is still fresh. Return this when If-None-Match / If-Modified-Since matches.

Same as 302 but explicitly preserves the original method (POST stays a POST).

Same as 301 but explicitly preserves the original method.

Malformed request — bad JSON, missing required field. Clients should fix and retry.

Authentication required or invalid. Despite the name, this is about authentication, not authorization. Pair with WWW-Authenticate.

Authenticated but lacks permission. Different from 401 — re-authing won't help.

Resource doesn't exist. Avoid leaking existence with subtle differences from 403.

The route exists but not for this HTTP verb. Return Allow: with the supported methods.

Server gave up waiting for the client to send the request. Some load balancers send this aggressively.

Optimistic-concurrency / state-mismatch failures. "Resource was edited since you fetched it" is a 409.

Resource used to exist; it's now permanently removed. Stronger signal than 404 for crawlers.

Request body exceeds server limit. Common for upload endpoints.

Move some of those query params into a POST body.

Content-Type doesn't match what the endpoint accepts.

April Fools' joke from RFC 2324, kept alive for cultural reasons. Some sites use it as a tarpit signal.

Request was syntactically valid but semantically wrong. The form parsed but a field violated business rules. Most modern APIs use this in place of 400.

Server unwilling to risk processing a request that might be replayed (TLS 0-RTT context).

Rate-limited. Pair with Retry-After. Webhook providers love this one.

Geo / legal blocking. Reference: Fahrenheit 451.

Catch-all for unhandled exceptions. Return this when you have nothing more specific.

The server recognizes the method but can't fulfill it.

A proxy / load balancer got an invalid response from upstream. Reverse-proxy users see this when the origin is down.

Server is up but temporarily refusing requests — maintenance, overload. Pair with Retry-After.

A proxy timed out waiting for upstream. The origin is slow, not necessarily down.

Out of disk for the operation. WebDAV-flavored.

Captive portals. The client must authenticate to gain network access.