A Plain English Guide to HTTP Status Codes

HTTP status codes are like breathing: they’re always happening, but you only really notice them when something has gone wrong. They are notoriously complex to get to grips with, and each one has extensive and complex documentation detailing its intricacies. That’s great if you’ve got time and want to read up on one specific error, but if you’re in a hurry and something is broken, sometimes you just want to know what. To that end, we’re breaking down HTTP status codes as simply as possible.

Sometimes that might not be the level of detail you need, and if you want to go deeper, I’ve always liked Mozilla’s docs on the matter. They’re detailed enough to be helpful, but they’re not as dense and complex at the official w3 documentation. This article isn’t meant to be comprehensive: it’s your quick-fix plain English cheat sheet.

These codes report business as usual, that is still ongoing.

100 Continue: Everything is working as expected with the request headers, and it’s moving ahead to sending the body.

101 Switching Protocols: The request needs the server to switch protocols, and the server has agreed.

102 Processing: Same as a 100 request, but slower—things are taking time but are still moving ahead, and a 102 is going up to prevent the server timing out.

103 Early Hints: This code was designed to indicate that some responses have come through and the browser is loading them while the server works on something else. It doesn’t really get used.

These codes report business as usual that has completed.

200 Success: Everything worked as expected.

201 Created: Everything worked as expected, and created a new resource.

202 Accepted: Server has accepted the request, but is still processing.

203 Non-Authoritative Information: Everything worked as expected, but through a proxy.

204 No Content: Everything worked as expected, but will not return any content.

205 Reset Content: Same as a 204, but it wants you to try again.

206 Partial Content: Some of the content has been sent to clients. Often seen with range headers in downloading media.

207 Multi-status: A lot of things happened, and here’s a list.

208 Already Reported: WebDAV specific, rarely used. Prevents responses from listing the same files/directory again, saving resources.

226 IM Used: Rarely used. This is used in a very specific set of circumstances where a cached version on the client side and the live version on the server side are different, but only a small part needs changed rather than sending a whole new version. Everything must be compatible and it must be low tide after the summer solstice.

These codes report an issue that means the browser is going to need to go somewhere else to reach its goal. They’re not strictly speaking error codes and it’s best to avoid calling them that—nothing is broken, the client/server just needs to make some changes before they can complete their task.

300 Multiple Choices: There are multiple ways for the server to respond to the request, and the user needs to pick one. Not supported in most places.

301 Moved Permanently: Content moved, client should repeat same request on new location. This was often handled incorrectly, and led to the newer more commonplace 308 to solve issues.

302 Found: Moved temporarily. Like 301, it was misused, and 307 was made to replace it.

303 See Other: The result of the operation can be found at another location, indicated by the URI in the location header field, indirect response.

304 Not Modified: This data is already stored in your cache, and the server is telling the browser to pull it from there.

305 Use Proxy: You can’t access the content without going through a proxy. Deprecated, rarely used.

306 Switch Proxy: No longer used, meant to be “Switch Proxy”, and provide client with a specific proxy

307 Temporary Redirect: The same as a 302, but doesn’t allow the HTTP method to change.

308 Permanent Redirect: The same as a 301, but doesn’t allow the HTTP method to change.

These codes report an issue on the user’s end.

400 Bad Request: This is a catchall for when something doesn’t fit the rest of the 4xx codes. Often it means that there’s an error client side, like a malformed request syntax, invalid request message framing, size too large, or deceptive request routing.

401 Unauthorized: Upon receipt of a request for a protected resource that omits credentials, contains invalid credentials (e.g., a bad password) or partial credentials (e.g., when the authentication scheme requires more than one round trip), an origin server SHOULD send a 401 (Unauthorized) response that contains a WWW-Authenticate header field with at least one (possibly new) challenge applicable to the requested resource.

402 Payment required: You don’t have permission to access this page (unless you’ve paid). Standard not defined other than reserved, and it should not be used, though some do.

403 Forbidden: You don’t have permission to access this page.

404 Not Found: The requested resource is not available.

405 Method Not Allowed: You’re trying to use an HTTP method the server doesn’t allow.

406 Not Accepted: Your HTTP headers aren’t set up to accept the response the server needs to send through.

407 Proxy Authentication Required: Client needs to authenticate with a proxy. Works in a similar way to 401.

408 Request Timeout: The server was waiting for a request from your browser, and didn’t get it in time

409 Conflict: Valid request, cannot be completed with the current state of a server. Used in many ways, for example adding a file to a folder that does not exist.

410 Gone: This is a 404, but intentional. A 404 means it’s broken, a 410 means somebody removed it and it’s not coming back.

411 Length Required: The server needs your browser to provide the length of the content requested, and didn’t get one

412 Precondition Failed: The server does not meet one of the preconditions the requesters put on the request field headers, with the exception of only retrieving if the resource has changed, which is a 304.

413 Payload Too Large: The request you’re sending through is bigger than the server wants to handle. Often seen in file uploads.

414 URI Too Long: The URI of an HTTP request is longer than the server allows, typically at or under 2000 bytes.

415 Unsupported Media Type: The request sent to the server because it is an unsupported format, or content encoding.

416 Range Not Satisfied: You’ve asked for a specific part of the file that doesn’t exist. Maybe you asked for bytes 4000–5000 from a file that is only 2048 bytes. A failed 206.

417 Expectation Failed: There’s something in your Expect Header that the server can’t fulfil

418 I Am A Teapot: The requested resource is both short and stout, and—generally speaking—has both handle and spout. If you run into this error, manual interaction with hardware will be required to ‘pour it out’.

420 Enhance Your Calm: Once used by Twitter before 429 existed to tell clients they were being rate limited.

421 Misdirected Request: The request got sent to a server it wasn’t intended for. Introduced servers that don’t support connection coalescing.

422 Unprocessable Entity: The request has semantic errors that mean it can’t be processed—the server understands the request, but not its logic. Most commonly an unknown content-type header, which somewhat conflicts with 415.

423 Locked: WebDAV specific, file or directory is locked.

424 Failed Dependency: WebDav specific, only appears in 207 response code. When a property update in an issued PROPATCH, and a property update up the line failed, the rest will be marked 424.

425 Too Early: The server does not want to respond to a request until the TLS connection is fully established.

426 Upgrade Required: The client needs to switch to a different protocol, specified in the Upgrade header field

428 Precondition Required: A conditional header (e.g. If–Match) is missing, and the server requires it.

429 Too Many Requests: You’ve hit the rate limiter. Sometimes a browser will get stuck in a loop where a request gets rejected and it starts spitting it out over and over again, and sometimes it’s just because you’ve been refreshing too much. Replaced 420.

431 Request Field Too Large: Your header field/s are too big

451 Unavailable for Legal Reasons: Some sort of injunction has taken the site down, and the server is not legally allowed to respond. Reference to Fahrenheit 451.

These codes report an issue on the website’s end, specifically the server. If you don’t run the website, there’s not a lot you can do here except send them a support ticket and/or try to come back and check later.

500 Internal Server Error: This is the generic “server is broken”

501 Not Implemented: The request method isn’t supported by the server

502 Bad Gateway: A reverse-proxy has received a bad response from the origin server

503 Service Unavailable: Often the result of a DDoS or traffic spike: this site isn’t available because it’s overloaded.

504 Gateway Timeout: Similar to 502, but instead of a bad response from the origin server, it didn’t get a response in time.

505 HTTP Version Not Supported: Rarely used, the request is an unsupported version of HTTP request and the server can’t process it

506 Variant Also Negotiates: There are multiple possible options to choose from, and a server configuration error has created a loop where it’s stuck choosing forever. Rarely used.

507 Insufficient Storage: The server doesn’t have enough free space to process the request

508 Loop Detected: Infinite loop detected, made for WebDAV but could be seen elsewhere.

510 Not Extended: Further extensions to the request are required for the server to fulfil it.

511 Network Authentication Required: You can’t access the server because you need to log in to the network. You’ll probably most often see this while using cafe WiFi—you need to log on before you can go online.

   
And that’s it! If you’re interested in another simple lookup chart, check out our guide to PHP7 error reporting. If you’re having site issues in general, you might want to read up on cross-browser testing.