HTTP Status Codes Cheat Sheet
Complete HTTP response code reference. All status codes from 100 to 599 with meanings, use cases, and troubleshooting tips.
1xx Informational
| Abbreviation | Description | Expansion |
|---|---|---|
| Server received request headers, client should send body | Used with large POST/PUT requests | |
| Server is switching to requested protocol | HTTP → WebSocket upgrade | |
| Server received request, still processing | WebDAV: prevents client timeout | |
| Send preload headers before final response | Link: </style.css>; rel=preload |
2xx Success
| Abbreviation | Description | Expansion |
|---|---|---|
| Request succeeded | GET /users → 200 with user list | |
| Resource successfully created | POST /users → 201 with new user | |
| Request accepted, processing pending | POST /jobs → 202 (async processing) | |
| Success, no body to return | DELETE /users/1 → 204 | |
| Partial resource returned (range request) | Video streaming, resume downloads |
3xx Redirection
| Abbreviation | Description | Expansion |
|---|---|---|
| Resource permanently moved to new URL | Old URL → new URL (SEO transfer) | |
| Temporary redirect (method may change) | Login → dashboard redirect | |
| Redirect with GET to different URL | POST /form → GET /success | |
| Cached version is still valid | If-None-Match/If-Modified-Since match | |
| Temporary redirect (preserves method) | POST stays POST after redirect | |
| Permanent redirect (preserves method) | Like 301 but keeps POST as POST |
4xx Client Error
| Abbreviation | Description | Expansion |
|---|---|---|
| Server can't process due to client error | Invalid JSON, missing required field | |
| Authentication required | Missing or invalid auth token | |
| Authenticated but not authorized | User lacks permission for resource | |
| Resource doesn't exist | GET /users/99999 → 404 | |
| HTTP method not supported for URL | DELETE /users (if not supported) | |
| Can't produce response matching Accept header | Accept: image/png for JSON-only endpoint | |
| Client took too long to send request | Slow upload or idle connection | |
| Request conflicts with server state | Creating duplicate resource, version conflict | |
| Resource permanently removed | Deleted content (stronger than 404) | |
| Request body exceeds server limit | File upload exceeds max size | |
| Content-Type not supported | Sending XML to JSON-only endpoint | |
| Valid syntax but semantic errors | Validation errors (email format, etc.) | |
| Rate limit exceeded | Retry-After: 60 header included | |
| Blocked for legal reasons | GDPR, censorship, court order |
5xx Server Error
| Abbreviation | Description | Expansion |
|---|---|---|
| Unexpected server error | Unhandled exception, bug in code | |
| Server doesn't support the functionality | Unsupported HTTP method | |
| Invalid response from upstream server | Reverse proxy can't reach backend | |
| Server temporarily unavailable | Maintenance, overloaded | |
| Upstream server didn't respond in time | Backend took too long to respond | |
| Server can't store the representation | Disk full, quota exceeded | |
| Infinite loop in server processing | WebDAV: circular reference | |
| Client needs to authenticate to network | Captive portal (WiFi login page) |
Frequently asked questions
What's the difference between 4xx and 5xx errors?
4xx errors are client errors - the client did something wrong (bad request, unauthorized, not found). 5xx errors are server errors - the server failed to fulfill a valid request. The distinction matters: 4xx means the client should fix something, 5xx means the server team needs to investigate.
When should I use 200 vs 201 vs 204?
200 OK for successful GET/PUT/PATCH requests. 201 Created for successful POST that creates a new resource (include Location header pointing to new resource). 204 No Content for successful DELETE or PUT where no response body is needed.
What status code should I use for validation errors?
Use 422 Unprocessable Entity for semantic validation errors (invalid email format, password too short). Use 400 Bad Request for syntactic issues (malformed JSON, missing Content-Type). Some APIs use 400 for everything, but 422 is more precise.
Should I use 404 or 410 for deleted resources?
Use 410 Gone when you know a resource existed and was intentionally removed - it tells search engines to deindex it. Use 404 when you don't know or don't want to reveal whether a resource ever existed. 410 is a 'permanent 404'.
What causes 502 and 504 errors?
502 Bad Gateway: the reverse proxy (Nginx/Apache) received an invalid response from the backend (crashed, returned garbage). 504 Gateway Timeout: the backend didn't respond within the proxy's timeout. Both indicate backend problems, not client issues.
How should I handle rate limiting (429)?
Return 429 with Retry-After header (seconds until reset). Include X-RateLimit-Limit (max requests), X-RateLimit-Remaining (requests left), and X-RateLimit-Reset (timestamp) headers. On the client side, implement exponential backoff with jitter for retries.
Go from reference to real skills
Cheat sheets are great for quick lookups. Our in-depth courses take you from the fundamentals to professional-level mastery.
Browse all courses