HTTP Status Codes Cheat Sheet

The server has received the request headers and the client should proceed to send the request body. Used with large uploads to avoid wasting bandwidth on rejected requests.

The server is switching protocols as requested by the client (e.g., upgrading from HTTP/1.1 to WebSocket). The server must send an Upgrade header in the response.

WebDAV: The server has received and is processing the request, but no response is available yet. Prevents the client from timing out on long operations.

Used to return some response headers before final HTTP message. Allows the client to start preloading resources while the server prepares the full response.

The request succeeded. The meaning depends on the HTTP method: GET returns the resource, POST returns the result, PUT/PATCH returns the updated resource.

A new resource was successfully created. Should include a Location header pointing to the newly created resource URL. Common response for POST requests.

The request has been accepted for processing but processing has not been completed. Used for async operations — the client should poll or use a callback URL.

The request was successful but the response is from a transforming proxy, not the origin server. The enclosed payload has been modified from the origin's 200 response.

The request succeeded but there is no content to send in the response body. Common for DELETE requests or PUT updates where no body is needed.

The server fulfilled the request and wants the client to reset the document view (e.g., clear a form). Similar to 204 but instructs the client to refresh the document.

The server is delivering only part of the resource due to a Range header sent by the client. Used for resumable downloads and video streaming.

WebDAV: The response body contains XML with multiple separate responses for multiple operations. Each response has its own status code.

WebDAV: The members of a DAV binding have already been enumerated in a previous reply and are not being included again to avoid redundancy.

The server has fulfilled a GET request for the resource and the response is a representation of the result of one or more instance-manipulations applied to the current instance.

The request has more than one possible response. The user agent or user should choose one of them. No standard way to choose automatically.

The URL of the requested resource has been changed permanently. The new URL is given in the response. Browsers cache this redirect. Good for SEO migrations.

The URL of the requested resource has been changed temporarily. Unlike 301, it is not cached by default. Use when the redirect may change in the future.

The response to the request can be found under another URI using a GET method. Used to redirect after a POST/PUT to a confirmation page (Post/Redirect/Get pattern).

The resource has not been modified since the version specified by the request headers (If-Modified-Since or If-None-Match). Client should use its cached version.

The same as 302, but the client must use the same HTTP method for the redirected request. The redirect URL appears in the Location header.

The same as 301, but the client must use the same HTTP method for the redirected request. The permanent redirect URL appears in the Location header.

The server cannot process the request due to malformed syntax, invalid framing, or deceptive request routing. The client should not repeat the request without modifications.

Authentication is required and has failed or not been provided. The response must include a WWW-Authenticate header. Despite its name, it means "unauthenticated".

Reserved for future use originally, now used by some APIs to indicate payment is required. Used by APIs like Google Developers Console when quota is exceeded.

The client is authenticated but does not have permission to access the resource. Unlike 401, re-authenticating will not make a difference.

The server cannot find the requested resource. The URL is not recognized or the resource doesn't exist. Also used to hide existence of forbidden resources.

The HTTP method used is not supported for the resource. The response must include an Allow header with supported methods (e.g., GET, POST).

The resource cannot generate content matching the list of acceptable values in the request's Accept headers. The server must send back a list of available representations.

Similar to 401 but authentication is needed by a proxy. The client must authenticate with the proxy before sending the request to the origin server.

The server timed out waiting for the request. The client did not produce a request within the time the server was prepared to wait. Client may repeat the request.

The request conflicts with the current state of the resource. Commonly used for duplicate entry attempts or when editing a stale version of a resource (optimistic locking).

The resource has been permanently deleted and no forwarding address exists. Unlike 404, it communicates intentional permanent removal. Search engines should deindex it.

The server rejects the request because the Content-Length header is not defined. The client must send this header with the request body.

The server does not meet one of the preconditions specified in the request headers (If-Match, If-None-Match, If-Unmodified-Since). Used for conditional requests.

The request entity is larger than limits defined by the server. The server may close the connection or return a Retry-After header if the condition is temporary.

The URI requested by the client is longer than the server is willing to interpret. Can happen if a client encodes too much data into a GET query string.

The media format of the request data is not supported by the server. The client should check the Content-Type and Content-Encoding headers they are sending.

The range specified in the Range header cannot be fulfilled. The requested range may be outside the size of the resource.

The expectation given in the Expect request header could not be met by at least one inbound server.

An April Fools' joke from RFC 2324. A teapot cannot brew coffee. Some services use this to indicate they refuse to process a request for humorous or policy reasons.

The request was directed at a server that is not able to produce a response. This can be sent by a server that is not configured to produce responses for the combination of scheme and authority in the request URI.

The request is well-formed but contains semantic errors. Common in REST APIs for validation failures — the request syntax is correct but the data is logically invalid.

WebDAV: The source or destination resource of a method is locked. The response should include the Lock-Token header.

WebDAV: The method could not be performed on the resource because the requested action depended on another action and that action failed.

The server is unwilling to risk processing a request that might be replayed. Used with TLS early data (0-RTT) to avoid replay attacks.

The server refuses to perform the request using the current protocol but will be willing to do so after the client upgrades to a different protocol.

The origin server requires the request to be conditional. This prevents the "lost update" problem where a client GETs a resource, modifies it, and PUTs it back while another client modified it.

The user has sent too many requests in a given amount of time (rate limiting). The response should include a Retry-After header indicating when to retry.

The server is unwilling to process the request because its header fields are too large. The request may be resubmitted after reducing the size of the request headers.

The user requests an illegal resource, such as a web page censored by a government. Named after Ray Bradbury's "Fahrenheit 451".

A generic error message when the server encounters an unexpected condition. The server is giving an unhelpful message because it lacks a more specific 5xx status code to give.

The server does not support the functionality required to fulfill the request. Common when the server does not recognize the request method or lacks the ability to fulfill it.

The server, while acting as a gateway or proxy, received an invalid response from an inbound server. The upstream server is returning an invalid response.

The server is not ready to handle the request. Common causes are a server down for maintenance or overloaded. Should send Retry-After header when condition is temporary.

The server, while acting as a gateway or proxy, did not receive a timely response from an upstream server. The upstream server timed out.

The HTTP version used in the request is not supported by the server. The response should contain a description of why that version is not supported.

The server has an internal configuration error: the chosen variant resource is configured to engage in transparent content negotiation itself, creating a circular reference.

WebDAV: The method could not be performed because the server is unable to store the representation needed to successfully complete the request.

WebDAV: The server detected an infinite loop while processing the request. This status indicates that the entire operation failed.

Further extensions to the request are required for the server to fulfill it. The server must send back the required extension(s) in the response.

The client needs to authenticate to gain network access. Used by intercepting proxies that control access to a network (e.g., captive portal on Wi-Fi).