HTTP Status Codes

Last Edited

by

in

,

HTTP Status Codes are three-digit codes that Web servers return in response to Hypertext Transfer Protocol (HTTP) requests sent by Web browsers. They are also known as HTTP error codes because most of them signify some sort of error condition.

In this page

HTTP Status Codes
HTTP Status Codes

The HTTP status code is one of the first pieces of information returned by a Web server in response to a request from a Web browser, and it informs the browser of the status of the request. Status codes are usually displayed by Web browsers instead of the desired Web page when the server cannot satisfy the browser’s request for some reason.

» You should also read “A Guide to HTTP Header Vulnerabilities“.

Informational 1xx status codes

This class of status code indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line. There are no required headers. Since HTTP/1.0 did not define any 1xx status codes, servers MUST NOT send a 1xx response to an HTTP/1.0 client except under experimental conditions.

  • 100 Continue – The client SHOULD continue with its request. This interim response is used to inform the client that the initial part of the request has been received and has not yet been rejected by the server.
  • 101 Switching Protocols – The server understands and is willing to comply with the client’s request.
  • 102 Processing – This code indicates that the server has received and is processing the request, but no response is available yet.
  • 103 Early Hints – Used to return some response headers before final HTTP message.

Success 2xx status codes

This class of status code indicates that the client’s request was successfully received, understood, and accepted.

  • 200 OK – The request has succeeded. The information returned with the response is dependent on the method used in the request, for example:
    • GET an entity corresponding to the requested resource is sent in the response;
    • HEAD the entity-header fields corresponding to the requested resource are sent in the response without any message-body;
    • POST an entity describing or containing the result of the action;
    • TRACE an entity containing the request message as received by the end server.
  • 201 Created – The request has been fulfilled and resulted in a new resource being created. The newly created resource can be referenced by the URI(s) returned in the entity of the response, with the most specific URI for the resource given by a Location header field.
  • 202 Accepted – The request has been accepted for processing, but the processing has not been completed. The request might or might not eventually be acted upon, as it might be disallowed when processing actually takes place.
  • 203 Non-Authoritative Information – The server is a transforming proxy (e.g. a Web accelerator) that received a 200 OK from its origin, but is returning a modified version of the origin’s response.
  • 204 No Content – The server successfully processed the request and is not returning any content. The 204 response must not include a message-body and thus is always terminated by the first empty line after the header fields.
  • 205 Reset Content – The server successfully processed the request, but is not returning any content. Unlike a 204 response, this response requires that the requester (user-agent) reset the document view. This response must not include an entity.
  • 206 Partial Content – The server is delivering only part of the resource due to a range header sent by the client.
  • 207 Multi-Status – The message body that follows is by default an XML message and can contain a number of separate response codes, depending on how many sub-requests were made.
  • 208 Already Reported – The members of a DAV (WebDAV) binding have already been enumerated in a preceding part of the response, and are not being included again.
  • 226 IM Used – The server has fulfilled a request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance.

Redirection 3xx status codes

The 3XX class of status code indicates that further action needs to be taken by the user agent in order to fulfill the request. The action required may be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD. A client should detect infinite redirection loops, since such loops generate network traffic for each redirection.

Previous versions of the 3xx status code specification recommended a maximum of five redirections. Content developers should be aware that there might be clients that implement such a fixed limitation.

  • 300 Multiple Choices – The requested resource corresponds to any one of a set of representations, each with its own specific location.
  • 301 Moved Permanently – The requested resource has been assigned a new permanent URI and any future references to this resource should use one of the returned URIs.
  • 302 Found – The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client should continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.
  • 303 See Other – The response to the request can be found under a different URI and should be retrieved using a GET method on that resource. This method exists primarily to allow the output of a POST-activated script to redirect the user agent to a selected resource. The new URI is not a substitute reference for the originally requested resource. The 303 response must not be cached, but the response to the second (redirected) request might be cacheable.
  • 304 Not Modified – Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-None-Match. In such case, there is no need to retransmit the resource since the client still has a previously-downloaded copy.
  • 305 Use Proxy – The requested resource must be accessed through the proxy given by the Location field. The Location field gives the URI of the proxy. The recipient is expected to repeat this single request via the proxy. 305 responses must only be generated by origin servers.
  • 306 – The 306 status code was used in a previous version of the specification, is no longer used, and the code is reserved.
  • 307 Temporary Redirect – The requested resource resides temporarily under a different URI. Since the redirection may be altered on occasion, the client should continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.
  • 308 Permanent Redirect – he request and all future requests should be repeated using another URI.

Client error 4xx status codes

The 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. These status codes are applicable to any request method. User agents should display any included entity to the user.

404 HTTP Status Code - Not Found
404 HTTP Status Code – Not Found

If the client is sending data, a server implementation using TCP should be careful to ensure that the client acknowledges receipt of the packet(s) containing the response, before the server closes the input connection. If the client continues sending data to the server after the close, the server’s TCP stack will send a reset packet to the client, which may erase the client’s unacknowledged input buffers before they can be read and interpreted by the HTTP application.

  • 400 Bad Request – The request could not be understood by the server due to malformed syntax. The client should not repeat the request without modifications.
  • 401 Unauthorized – The request requires user authentication. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. The client may repeat the request with a suitable Authorization header field.
  • 402 Payment Required – Reserved for future use. The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, as proposed, for example, by GNU Taler,[35] but that has not yet happened, and this code is not usually used. Google Developers API uses this status if a particular developer has exceeded the daily limit on requests.
  • 403 Forbidden – The server understood the request, but is refusing to fulfill it. Authorization will not help and the request should not be repeated.
  • 404 Not Found – The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
  • 405 Method Not Allowed – The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response must include an Allow header containing a list of valid methods for the requested resource.
  • 406 Not Acceptable – The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request.
  • 407 Proxy Authentication Required – This code is similar to 401 (Unauthorized), but indicates that the client must first authenticate itself with the proxy.
  • 408 Request Timeout – The client did not produce a request within the time that the server was prepared to wait. The client may repeat the request without modifications at any later time.
  • 409 Conflict – The request could not be completed due to a conflict with the current state of the resource. This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request.
  • 410 Gone – The requested resource is no longer available at the server and no forwarding address is known. This condition is expected to be considered permanent. The 410 response is primarily intended to assist the task of web maintenance by notifying the recipient that the resource is intentionally unavailable and that the server owners desire that remote links to that resource be removed.
  • 411 Length Required – The server refuses to accept the request without a defined Content-Length. The client may repeat the request if it adds a valid Content-Length header field containing the length of the message-body in the request message.
  • 412 Precondition Failed – The precondition given in one or more of the request-header fields evaluated to false when it was tested on the server.
  • 413 Payload Too Large – The request is larger than the server is willing or able to process. Previously called “Request Entity Too Large”.
  • 414 URI Too Long – The server is refusing to service the request because the Request-URI is longer than the server is willing to interpret.
  • 415 Unsupported Media Type – The server is refusing to service the request because the entity of the request is in a format not supported by the requested resource for the requested method. For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.
  • 416 Range Not Satisfiable – The client has asked for a portion of the file, but the server cannot supply that portion.
  • 417 Expectation Failed – The expectation given in an Expect request-header field could not be met by this server, or, if the server is a proxy, the server has unambiguous evidence that the request could not be met by the next-hop server.
  • 418 I’m a teapot – This code was defined in 1998 as one of the traditional IETF April Fools’ jokes, in RFC 2324, Hyper Text Coffee Pot Control Protocol, and is not expected to be implemented by actual HTTP servers. The RFC specifies this code should be returned by teapots requested to brew coffee. This HTTP status is used as an Easter egg on some websites, including Google.com.
  • 421 Misdirected Request – The request was directed at a server that is not able to produce a response.
  • 422 Unprocessable Entity – The request was well-formed but was unable to be followed due to semantic errors.
  • 423 Locked – The resource that is being accessed is locked.
  • 424 Failed Dependency – The request failed because it depended on another request and that request failed.
  • 425 Too Early – Indicates that the server is unwilling to risk processing a request that might be replayed.
  • 426 Upgrade Required – The client should switch to a different protocol such as TLS/1.0, given in the Upgrade header field
  • 428 Precondition Required – The origin server requires the request to be conditional.
  • 429 Too Many Requests – The user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes.
  • 431 Request Header Fields Too Large – The server is unwilling to process the request because either an individual header field, or all the header fields collectively, are too large
  • 451 Unavailable For Legal Reasons – A server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource.

Server error 5xx status codes

Response status codes beginning with the digit “5” indicate cases in which the server is aware that it has erred or is incapable of performing the request. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. User agents should display any included entity to the user. These response codes are applicable to any request method.

  • 500 Internal Server Error – The server encountered an unexpected condition which prevented it from fulfilling the request.
  • 501 Not Implemented – The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource.
  • 502 Bad Gateway – The server, while acting as a gateway or proxy, received an invalid response from the upstream server it accessed in attempting to fulfill the request.
  • 503 Service Unavailable – The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (The existence of the 503 status code does not imply that a server must use it when becoming overloaded. Some servers may wish to simply refuse the connection.
  • 504 Gateway Timeout – The server, while acting as a gateway or proxy, did not receive a timely response from the upstream server specified by the URI (e.g. HTTP, FTP, LDAP) or some other auxiliary server (e.g. DNS) it needed to access in attempting to complete the request.
  • 505 HTTP Version Not Supported – The server does not support, or refuses to support, the HTTP protocol version that was used in the request message. The server is indicating that it is unable or unwilling to complete the request using the same major version as the client.
  • 506 Variant Also Negotiates – Transparent content negotiation for the request results in a circular reference.
  • 507 Insufficient Storage – The server is unable to store the representation needed to complete the request
  • 508 Loop Detected – The server detected an infinite loop while processing the request (sent instead of 208 Already Reported).
  • 510 Not Extended -Further extensions to the request are required for the server to fulfill it.
  • 511 Network Authentication Required – The client needs to authenticate to gain network access.

List of unofficial codes

There are several status codes not specified by any official document or standard.

103 CheckpointUsed to resume aborted PUT or POST requests.
218 This is fineUsed as a catch-all error condition for allowing response bodies to flow through Apache when ProxyErrorOverride is enabled.
419 Page Expired Used by the Laravel Framework when a CSRF Token is missing or expired.
420 Enhance Your Calm Returned by version 1 of the Twitter Search and Trends API.
509 Bandwidth Limit ExceededThe server has exceeded the bandwidth specified by the server administrator.
526 Invalid SSL Certificate Used by Cloudflare and Cloud Foundry’s gorouter.
495 SSL Certificate Error Used by IIS when the client has provided an invalid client certificate.
440 Login Time-outUsed by IIS when the client’s session has expired.

External references

Search