HTTP status codes — grouped by meaning
HTTP response codes are 3-digit numbers divided into five families by the first digit:
- 1xx Informational — request received, continuing (rare in practice).
100 Continue,101 Switching Protocols,103 Early Hints. - 2xx Success — the request worked.
200 OK,201 Created,202 Accepted,204 No Content,206 Partial Content(range requests). - 3xx Redirection — resource is elsewhere.
301 Moved Permanently(SEO: preserves ~100% of ranking),302 Found(temporary),304 Not Modified(use cached copy),307 / 308(preserve HTTP method, unlike 301/302 which may change POST to GET). - 4xx Client Error — your fault.
400 Bad Request,401 Unauthorized(not authenticated),403 Forbidden(authenticated but not allowed),404 Not Found,405 Method Not Allowed,409 Conflict,410 Gone(permanent, unlike 404),422 Unprocessable Entity,429 Too Many Requests(rate-limited). - 5xx Server Error — server's fault.
500 Internal Server Error,502 Bad Gateway(reverse proxy got bad upstream response),503 Service Unavailable(overloaded or maintenance),504 Gateway Timeout,507 Insufficient Storage.
401 vs 403 — the most-confused pair
Both refuse the request, but for different reasons:
- 401 Unauthorized — "I don't know who you are." No credentials presented, or invalid ones. Client should add Authorization header and retry. Response typically includes
WWW-Authenticateheader saying how (Basic, Bearer, etc.). - 403 Forbidden — "I know who you are, but you can't access this." Credentials were valid, but your role/permission doesn't allow this operation. Client should not retry with the same credentials — re-authentication won't help.
Public endpoints with rate limiting should use 429 Too Many Requests, not 403.
When a user is logged in but tries to access another user's resource, return 404 Not Found, not 403 — leaking existence is itself an information leak.
301 vs 302 vs 307 vs 308 — redirects that don't break POST
All four redirect the browser to another URL, but they differ on caching and HTTP method handling:
| Code | Meaning | SEO value | Preserves POST method? |
|---|---|---|---|
| 301 | Moved permanently | ~100% (passes PageRank) | No — spec allows change to GET |
| 302 | Found (temporary) | Partial | No — spec allows change to GET |
| 307 | Temporary Redirect | Partial | Yes (same method as original) |
| 308 | Permanent Redirect | ~100% | Yes (same method as original) |
Rule: for permanent URL moves use 301. If the original request was a POST and you want the redirect target to also receive POST (not GET), use 307 or 308 instead.
Frequently Asked Questions
What is an HTTP status code?
HTTP status codes are three-digit numbers returned by web servers to indicate the result of a client's request: 2xx for success, 3xx for redirects, 4xx for client errors, 5xx for server errors.
What's the difference between 401 and 403?
401 Unauthorized means the request lacks valid authentication credentials. 403 Forbidden means the server understood the request but refuses to authorize it, even with valid credentials.
What does 502 Bad Gateway mean?
A 502 error means a server acting as a gateway or proxy received an invalid response from an upstream server. It usually indicates a temporary issue with the backend service.
Smarter quality checks. Faster deployments.
Better apps.
