HTTP status codes are the three-digit numbers a server returns to tell a client what happened to its request. Choosing the right one matters for correctness, caching and security — a misused 403 can leak the existence of hidden resources, and a 200 returned for an error breaks client retry logic. This reference explains each registered code with its correct use, common misuse, security implications and default caching behaviour, all bundled offline.
The five classes
Status codes are grouped into five classes by their first digit:
- 1xx Informational — the request was received and is continuing.
100 Continuetells a client withExpect: 100-continuethat it may send a large request body. - 2xx Success — the request succeeded.
200 OKis the most common;201 Createdsignals a new resource was made;204 No Contentmeans success with no body to return. - 3xx Redirection — further action is needed.
301and308are permanent;302and307are temporary;304says a cached copy is still fresh. - 4xx Client error — the client made a bad request.
400is a malformed request;401needs authentication;403is authorised but refused;404is not found;429is rate-limited. - 5xx Server error — the server failed.
500is an unhandled exception;502and504are gateway problems;503is overload or maintenance.
How the tool works
Type a number (e.g. 404), a class prefix (e.g. 4xx), or a keyword (e.g. redirect or unauthorized). The tool filters a bundled, offline dataset and shows the reason phrase, correct usage, common misuse, security notes and default caching behaviour for each match.
Choosing the right 4xx code
The 4xx class has more subtlety than it first appears:
| Code | When to use |
|---|---|
400 Bad Request | The request body or query is malformed; validation failed |
401 Unauthorized | No credentials were provided; the client may retry after authenticating |
403 Forbidden | Credentials are valid but the action is not permitted; re-auth will not help |
404 Not Found | The resource does not exist (or you are hiding a 403) |
405 Method Not Allowed | The method is not allowed; include Allow: GET, POST |
409 Conflict | The request conflicts with current state (e.g. duplicate key) |
410 Gone | The resource existed but has been permanently removed |
422 Unprocessable Content | The syntax is valid but the semantics fail (REST APIs often prefer this to 400) |
429 Too Many Requests | Rate limit exceeded; include Retry-After |
Security implications: 403 vs 404
Returning 403 Forbidden for a protected path confirms that the path exists to an unauthenticated caller. For sensitive paths (admin panels, internal APIs, user-data endpoints), many teams return 404 Not Found to unauthenticated requests so an attacker cannot enumerate protected resources. Once authenticated, the real 403 or 200 is returned. This is sometimes called “security through obscurity” but is a legitimate defence-in-depth measure when the existence of a path is itself sensitive information.
Caching notes
Per RFC 9111, several status codes are heuristically cacheable even without an explicit Cache-Control header: 200, 203, 204, 206, 300, 301, 308, 404, 405, 410, 414, 451, 501. This means a 404 response without Cache-Control may be cached by browsers and CDNs for a short period. If you expect a resource to appear soon, send Cache-Control: no-store on the 404 to prevent stale negative caching.
Common misuses
200with an error body — some older APIs return200 OKwith{"error": "not found"}in the body. This breaks HTTP caching, retry logic and every HTTP-aware tool.500for validation errors — validation failures are the client’s fault, not the server’s. Use400or422.404for auth failures on public paths — if a resource genuinely does not exist,404is correct; hiding a403with404is only appropriate for sensitive paths. Using404everywhere is a pattern that frustrates legitimate API consumers.