What is the difference between 401 and 403?

401 means the client is not authenticated — they need to log in first. 403 means they are authenticated but don't have permission. A 401 says 'who are you?' while a 403 says 'I know who you are, but you can't do this'.

When should I use 404 vs 410?

Use 404 when a resource doesn't exist or you want to hide its existence. Use 410 (Gone) when a resource was deliberately removed and you want search engines to de-index it permanently.

What is the difference between 301 and 302?

301 is a permanent redirect — browsers and search engines cache it and update their records. 302 is temporary — no caching, used when a resource might return. Use 301 for SEO redirects, 302 for login redirects.

Why does 429 matter for APIs?

429 Too Many Requests is the standard way to communicate rate limiting. You should always include a Retry-After header so clients know when to try again. Without it, clients may immediately retry and make the overload worse.

What does 503 mean vs 502?

502 Bad Gateway means your server got a bad/no response from an upstream service (e.g. the app crashed). 503 Service Unavailable means your server is deliberately not accepting requests — maintenance or overload.

HTTP Status Codes Reference

All HTTP status codes — what they mean, when to use them, and real-world examples. Search by code, name, or description.

100Continue

Server received request headers, client should proceed.

Large file uploads — server says 'keep going'.

101Switching Protocols

Server agrees to switch protocols as requested by client.

Upgrading HTTP to WebSocket.

102Processing

Server has received and is processing the request, no response yet.

Long-running WebDAV operations.

103Early Hints

Preload resources while the server prepares the main response.

Hint browser to preload CSS/fonts before HTML arrives.

200OK

Request succeeded.

Standard success response for GET, POST, PUT.

201Created

Request succeeded and a new resource was created.

POST that creates a new record (return its URL in Location header).

202Accepted

Request accepted for processing, not yet complete.

Async jobs — 'we got it, processing in background'.

203Non-Authoritative Information

Response is from a proxy, not the origin server.

Caching proxies that modify content.

204No Content

Request succeeded but no body to return.

DELETE or PUT with no response body needed.

205Reset Content

Tell client to reset the document view.

After form submission — clear the form.

206Partial Content

Partial resource returned, in response to a range request.

Video streaming, resumable downloads (Range header).

301Moved Permanently

Resource permanently moved to new URL.

SEO-safe redirects. Browsers cache this forever.

302Found

Resource temporarily at different URL.

Temporary redirects. Not cached by default.

303See Other

Redirect to a GET request after a POST.

Post/Redirect/Get pattern — prevents form re-submission.

304Not Modified

Resource hasn't changed, use cached version.

ETag/If-None-Match cache validation.

307Temporary Redirect

Redirect, but keep the HTTP method (POST stays POST).

Temporary redirect where method must be preserved.

308Permanent Redirect

Permanent redirect, keep the HTTP method.

Permanent redirect where POST must stay POST.

400Bad Request

Server cannot understand request due to invalid syntax.

Malformed JSON, missing required fields, invalid params.

401Unauthorized

Client must authenticate to get the resource.

Missing or invalid auth token/credentials.

403Forbidden

Client authenticated but not authorized.

Logged in but lacks permission. Don't reveal if resource exists.

404Not Found

Resource not found or server hides its existence.

Unknown URL, deleted resource, or hidden 403.

405Method Not Allowed

HTTP method not supported for this resource.

POST on a read-only endpoint. Include Allow header.

406Not Acceptable

Server can't produce a response in the format requested.

Accept header mismatch — client wants XML, server only does JSON.

408Request Timeout

Server timed out waiting for request.

Client took too long to send request body.

409Conflict

Request conflicts with current state of resource.

Duplicate create, version conflict, edit collision.

410Gone

Resource permanently deleted, no forwarding address.

Intentionally removed content. Stronger signal than 404.

411Length Required

Server requires Content-Length header.

PUT/POST without Content-Length.

413Payload Too Large

Request body exceeds server limit.

File upload too big.

414URI Too Long

URL is too long for the server to process.

Excessively long query strings.

415Unsupported Media Type

Unsupported Content-Type in request.

Sending XML to an endpoint that only accepts JSON.

416Range Not Satisfiable

Requested range is outside the resource's bounds.

Invalid Range header in download request.

418I'm a teapot

Server refuses to brew coffee because it is a teapot.

April Fools RFC 2324. Used as an Easter egg by Google, Cloudflare.

422Unprocessable Entity

Request is well-formed but semantically invalid.

Validation errors — fields present but fail business rules.

425Too Early

Server unwilling to process request that might be replayed.

TLS early data (0-RTT) anti-replay protection.

429Too Many Requests

Client has sent too many requests in a given time.

Rate limiting. Include Retry-After header.

451Unavailable For Legal Reasons

Resource blocked due to legal demand.

GDPR removal, government censorship, court order.

500Internal Server Error

Generic server-side error.

Unhandled exception, crashed handler, bug.

501Not Implemented

Server does not support the request method.

Method recognized but not implemented yet.

502Bad Gateway

Upstream server returned invalid response.

Reverse proxy got garbage from backend.

503Service Unavailable

Server temporarily unavailable — maintenance or overload.

Planned downtime or overload. Include Retry-After.

504Gateway Timeout

Upstream server didn't respond in time.

Backend too slow. Proxy timed out waiting.

505HTTP Version Not Supported

HTTP version used in the request is not supported.

Rare — very old or malformed clients.

507Insufficient Storage

Server is out of storage to complete the request.

WebDAV — disk full.

511Network Authentication Required

Client must authenticate to gain network access.

Captive portals (hotel Wi-Fi login pages).

Frequently Asked Questions

What is the difference between 401 and 403?: 401 means the client is not authenticated — they need to log in first. 403 means they are authenticated but don't have permission. A 401 says 'who are you?' while a 403 says 'I know who you are, but you can't do this'.
When should I use 404 vs 410?: Use 404 when a resource doesn't exist or you want to hide its existence. Use 410 (Gone) when a resource was deliberately removed and you want search engines to de-index it permanently.
What is the difference between 301 and 302?: 301 is a permanent redirect — browsers and search engines cache it and update their records. 302 is temporary — no caching, used when a resource might return. Use 301 for SEO redirects, 302 for login redirects.
Why does 429 matter for APIs?: 429 Too Many Requests is the standard way to communicate rate limiting. You should always include a Retry-After header so clients know when to try again. Without it, clients may immediately retry and make the overload worse.
What does 503 mean vs 502?: 502 Bad Gateway means your server got a bad/no response from an upstream service (e.g. the app crashed). 503 Service Unavailable means your server is deliberately not accepting requests — maintenance or overload.