How HTTP Status Codes Work
Every HTTP response begins with a three-digit status code that tells the client how the server handled the request. The first digit defines the class of response — whether it was successful, requires action, or encountered an error. Status codes are defined in RFC 9110 and are a fundamental part of the HTTP protocol.
The five classes:
- 1xx — Informational: The request was received, continuing the process.
- 2xx — Success: The request was successfully received, understood, and accepted.
- 3xx — Redirection: Further action is needed to complete the request.
- 4xx — Client Error: The request contains bad syntax or cannot be fulfilled — the problem is on the client side.
- 5xx — Server Error: The server failed to fulfill a valid request — the problem is on the server side.
Use our HTTP headers checker to see the exact status code any URL returns — useful for diagnosing redirects, authentication issues, or server errors without opening a browser.
2xx Success Codes
The 2xx range confirms the server processed the request successfully:
- 200 OK: The most common code. The request succeeded and the response body contains the requested data. For GET requests, this is the normal happy path.
- 201 Created: A new resource was successfully created. Returned for successful POST requests that create entities. The
Locationheader typically points to the newly created resource. - 204 No Content: The request succeeded but there is no response body. Common for DELETE operations or PUT updates where the response body is unnecessary.
- 206 Partial Content: The server is delivering only part of the resource due to a
Rangeheader in the request. Used by video streaming services to deliver specific byte ranges of video files, enabling scrubbing without downloading the whole file. - 304 Not Modified: (Technically a 3xx but logically a success) The resource has not changed since the client's cached version. The browser uses its cache and no body is transferred — a major bandwidth optimization.
In API development, returning the semantically correct 2xx code matters. Returning 200 for a resource creation (instead of 201) or for a delete (instead of 204) is technically functional but confuses API clients and violates REST conventions.
Check Any URL's HTTP Status Code
Use our free HTTP headers tool to instantly see the status code and headers for any URL.
Hide My IP Now3xx Redirection Codes
Redirection codes tell the client to look for the resource at a different URL:
- 301 Moved Permanently: The resource has moved to the URL in the
Locationheader permanently. Browsers and search engines update their records. Use for permanent URL changes — Google passes full link equity (PageRank) through 301s. - 302 Found: Temporary redirect. The client should continue using the original URL for future requests. Historically misused — many clients treated it as a permanent redirect. Spec requires repeating the original HTTP method, but most browsers change POST to GET.
- 303 See Other: Redirect the client to a GET request at the specified URL. Used after a successful POST to redirect to a "result" page, preventing form resubmission on browser refresh (the Post/Redirect/Get pattern).
- 307 Temporary Redirect: Like 302 but strictly requires the client to repeat the same HTTP method. A POST redirected with 307 must POST to the new URL.
- 308 Permanent Redirect: Like 301 but strictly maintains the HTTP method. The modern, unambiguous version of 301 for method-preserving permanent redirects.
Redirect chains — where A redirects to B which redirects to C — accumulate latency and confuse crawlers. Check all redirects for any URL with our headers tool, which follows and reports the full redirect chain.
4xx Client Error Codes
When the problem is in the request itself, the server returns a 4xx code:
- 400 Bad Request: Malformed request syntax, invalid parameters, or request body that does not parse. Fix the request before retrying.
- 401 Unauthorized: Authentication is required and has not been provided or is invalid. Despite the name, it means "unauthenticated." The response includes a
WWW-Authenticateheader specifying the authentication scheme. - 403 Forbidden: The server understood the request but refuses to fulfill it. Authentication is irrelevant — even authenticated users are denied. Used for IP-blocked resources, permission-denied scenarios, or CSRF validation failures.
- 404 Not Found: The requested resource does not exist at this URL. May be permanent (resource deleted) or temporary (typo in URL).
- 405 Method Not Allowed: The HTTP method used is not supported for this endpoint. The
Allowheader lists the supported methods. - 409 Conflict: The request conflicts with the current state of the resource — e.g., creating a user with an email that already exists.
- 410 Gone: Like 404 but permanent — the resource existed but has been deliberately removed and will not return. More definitive for SEO than 404.
- 422 Unprocessable Entity: The request is syntactically valid but semantically invalid — used in REST APIs when business logic validation fails.
- 429 Too Many Requests: Rate limit exceeded. The response should include
Retry-Afterheader. Relevant for API usage.
5xx Server Error Codes
5xx codes indicate the server failed to process a valid request — the fault lies with the server, not the client:
- 500 Internal Server Error: A generic catch-all for unexpected server failures. Check server logs for the actual cause — unhandled exceptions, database errors, or configuration problems.
- 502 Bad Gateway: The server acting as a gateway (reverse proxy, load balancer) received an invalid response from an upstream server. Often seen when a backend application is crashed or restarting.
- 503 Service Unavailable: The server is temporarily unable to handle requests — overloaded, in maintenance mode, or downstream dependencies are down. Should include a
Retry-Afterheader with an expected recovery time. - 504 Gateway Timeout: The gateway did not receive a timely response from the upstream server. The backend took too long. Common causes: slow database queries, expensive API calls, or network issues between proxy and backend. Our ping tool can help identify network latency contributing to timeouts.
- 507 Insufficient Storage: The server cannot store the representation needed to complete the request — disk full scenario.
- 511 Network Authentication Required: The client must authenticate to gain network access — typically returned by captive portals on public WiFi before you log in.
Monitoring 5xx rates is a key SRE (Site Reliability Engineering) practice. A spike in 502s often indicates a rolling deployment issue; a spike in 503s may indicate traffic exceeding capacity.
Frequently Asked Questions
What is the difference between 401 and 403?
401 means you are not authenticated — the server does not know who you are. Send credentials and try again. 403 means you are authenticated but not authorized — the server knows who you are and has decided you do not have permission to access this resource.
Why do I sometimes get 200 OK but the page is actually an error page?
Some applications return HTTP 200 with an error message in the HTML body rather than returning the appropriate 4xx or 5xx code. This is called a 'soft 404' and confuses search engine crawlers, CDN caches, and monitoring tools. Servers should always return semantically correct HTTP status codes.
What status code should I return for a deleted resource?
For a successful DELETE operation with no response body, return 204 No Content. If returning a representation of the deleted resource, return 200 OK. If the resource does not exist, return 404. If you want to permanently signal that a resource once existed but is gone forever (for SEO purposes), return 410 Gone.
How do I check what status code a URL returns?
Use our <a href="/headers">HTTP headers checker</a> to instantly see the status code, response headers, and redirect chain for any URL. You can also use <code>curl -I https://example.com</code> from the command line to fetch only the response headers.
