From 200 to 503: Understanding the Most Common HTTP Status Codes
When browsing the web or building APIs, you've likely encountered messages like "404 Page Not Found" or "500 Internal Server Error." These are HTTP status codes — three-digit numbers that servers send back to tell clients (browsers, apps, or other servers) what happened with their request.
Every time you load a webpage, your browser sends an HTTP request and receives a response that includes one of these status codes. Understanding them is essential for web developers debugging issues, API developers designing responses, site owners monitoring uptime, and anyone trying to figure out why a website isn't working.
HTTP status codes are grouped into five classes:
| Range | Category | Meaning |
|---|---|---|
| 1xx | Informational | The request was received, processing continues |
| 2xx | Success | The request was successfully received and accepted |
| 3xx | Redirection | Further action is needed to complete the request |
| 4xx | Client Error | The request contains bad syntax or cannot be fulfilled |
| 5xx | Server Error | The server failed to fulfill a valid request |
The key distinction to remember: 4xx errors are the client's fault (bad URL, missing authentication, wrong parameters), while 5xx errors are the server's fault (crashes, overload, misconfiguration). This matters when debugging — a 400 error means you need to fix your request, while a 500 error means something is wrong on the server side.
Let's dive into the most common status codes you'll encounter.
1. 200 OK
The 200 status code means the request succeeded. The server found what was asked for and returned it. This is by far the most common HTTP status code — it's what happens behind the scenes every time a webpage loads correctly, an API call returns data, or a file downloads successfully.
When you'll see it:
- Loading any webpage that works normally
- A successful API call that returns data
- Submitting a form that processes correctly
What the server returns: The response body contains the requested resource — HTML for a webpage, JSON for an API, an image file, etc.
For API developers: A 200 response should include the requested data in the body. For REST APIs, distinguish between 200 (returning existing data) and 201 Created (a new resource was created).
2. 201 Created
The 201 status code indicates that the request was successful and a new resource was created as a result. This is the standard response for successful POST requests in REST APIs.
When you'll see it:
- Creating a new user account via an API
- Uploading a file to a server
- Adding a new record to a database through an API endpoint
How it differs from 200: While 200 means "everything worked," 201 specifically means "everything worked and something new was created." The response typically includes the newly created resource or a link to it.
3. 301 Moved Permanently
The 301 status code tells the client that the requested resource has been permanently moved to a new URL. The browser (or any client) should automatically redirect to the new location and update any bookmarks.
When you'll see it:
- A website migrates from
http://tohttps:// - A page's URL structure changes (e.g.,
/old-pagemoves to/new-page) - A domain name changes entirely
Why it matters for SEO: The 301 redirect passes link equity (ranking power) from the old URL to the new one. Search engines will eventually replace the old URL with the new one in their index. This makes 301 the correct choice for permanent URL changes.
Common causes:
- Intentional URL restructuring
- Domain migrations
- Forcing HTTPS or www/non-www versions
How to fix (if unintended): Check your server configuration (.htaccess for Apache, nginx.conf for Nginx) or your application's routing rules for redirect rules you didn't intend.
4. 302 Found (Temporary Redirect)
The 302 status code indicates that the resource has been temporarily moved to a different URL. Unlike 301, the original URL should still be used for future requests.
When you'll see it:
- A/B testing that sends users to different page versions
- Temporary maintenance pages
- Language or region-based redirects
- Login redirects (sending unauthenticated users to a login page)
301 vs 302 — when to use which:
- Use 301 when the move is permanent and the old URL will never come back
- Use 302 when the move is temporary and the original URL should be preserved
SEO impact: Unlike 301, a 302 redirect tells search engines to keep the original URL in their index because the redirect is temporary.
5. 400 Bad Request
The 400 status code means the server cannot process the request because of a client-side error. Something about the request itself is malformed or invalid.
When you'll see it:
- Sending malformed JSON in an API request
- Missing required parameters in a form submission
- A URL that contains invalid characters
- A request body that doesn't match the expected format
- Cookie or header corruption
How to fix it:
- Check the request format — make sure JSON is valid, required fields are present, and data types are correct
- Inspect the URL — look for special characters, extra spaces, or encoding issues
- Clear browser cookies — corrupted cookies can cause 400 errors
- Check the Content-Type header — ensure it matches the body format (e.g.,
application/jsonfor JSON)
For API developers: Return a descriptive error message in the response body so the client knows exactly what's wrong. For example: {"error": "Missing required field: email"}.
6. 401 Unauthorized
The 401 status code means the request lacks valid authentication credentials. Despite the name "Unauthorized," this code is actually about authentication (who you are), not authorization (what you're allowed to do).
When you'll see it:
- Accessing an API endpoint without an API key or token
- A login session has expired
- Providing an invalid or expired authentication token
- Trying to access a password-protected page without credentials
How to fix it:
- Check your credentials — ensure your API key, token, or password is correct
- Refresh your token — if using OAuth or JWT, the token may have expired
- Log in again — your session may have timed out
- Check the Authorization header — ensure it's formatted correctly (e.g.,
Bearer <token>)
401 vs 403: These two are often confused. See our detailed comparison: 401 vs 403: What's the Difference?
7. 403 Forbidden
The 403 status code means the server understood the request and knows who you are, but refuses to authorize it. Unlike 401, re-authenticating won't help — you simply don't have permission.
When you'll see it:
- Trying to access an admin panel without admin privileges
- Accessing a file or directory where directory listing is disabled
- IP-based restrictions blocking your access
- Hotlink protection preventing direct access to images or files
- Web Application Firewalls (WAF) blocking a request
How to fix it:
- Check your permissions — ensure your account has access to the resource
- Check file permissions — on the server, verify the file is readable (common issue:
chmodsettings) - Check
.htaccessrules — access restrictions may be configured here - Contact the site owner — you may need elevated privileges
Common error message: Failed to load resource: the server responded with a status of 403 — this typically appears in browser developer tools when a script, image, or API call is blocked.
8. 404 Not Found
The 404 status code means the server can't find the requested resource. It's the most recognizable HTTP error for regular internet users.
When you'll see it:
- Clicking a broken or outdated link
- Typing a URL incorrectly
- A page was deleted without a redirect in place
- An API endpoint that doesn't exist
How to fix it:
- Check the URL — look for typos or incorrect paths
- Use a redirect — if the page moved, set up a 301 redirect to the new location
- Create a custom 404 page — help users find what they're looking for with search, navigation, or popular links
- Audit broken links — use tools to scan your site for links pointing to pages that no longer exist
SEO impact: Excessive 404 errors can hurt your site's SEO. Google Search Console reports 404 errors under "Coverage" — fix the important ones by adding redirects.
404 vs 410: A 404 means "not found" (might come back), while 410 means "gone" (permanently removed). Use 410 when you want search engines to remove the URL from their index faster.
9. 429 Too Many Requests
The 429 status code means you've sent too many requests in a given time period. The server is rate-limiting you to prevent abuse or overload.
When you'll see it:
- Making too many API calls in a short period
- Automated scripts or bots hitting a server too fast
- Exceeding a service's rate limit (e.g., 100 requests per minute)
How to fix it:
- Slow down — add delays between requests
- Check the
Retry-Afterheader — the server often tells you how long to wait - Implement exponential backoff — wait progressively longer between retries
- Cache responses — avoid making the same request repeatedly
- Upgrade your plan — many APIs offer higher rate limits on paid tiers
10. 500 Internal Server Error
The 500 status code is a generic "something went wrong on the server" response. It means the server encountered an unexpected condition that prevented it from fulfilling the request.
When you'll see it:
- A bug in server-side code (unhandled exception, null pointer, syntax error)
- Database connectivity issues
- Misconfigured server settings
- A failed deployment
- Running out of memory or disk space
How to fix it:
- Check server logs — the actual error will be in your application or server logs
- Review recent deployments — a new code push may have introduced a bug
- Check database connections — ensure the database is running and accessible
- Verify server resources — check CPU, memory, and disk usage
- Test locally — try to reproduce the error in a development environment
For site visitors: A 500 error is not your fault. Try refreshing the page, clearing your cache, or coming back later. If it persists, the site owner needs to fix it.
11. 502 Bad Gateway
The 502 status code means a server acting as a gateway or proxy received an invalid response from an upstream server. In other words, the front-facing server is fine, but the server behind it is having problems.
When you'll see it:
- A reverse proxy (like Nginx) can't reach the application server
- A CDN can't connect to the origin server
- An API gateway receives a malformed response from a backend service
How to fix it:
- Check if the upstream server is running — restart it if needed
- Check proxy/gateway configuration — ensure it points to the correct backend
- Increase timeout settings — the upstream server may be too slow to respond
- Check firewall rules — the proxy may be blocked from reaching the backend
12. 503 Service Unavailable
The 503 status code means the server is temporarily unable to handle the request, usually due to maintenance or overload. Unlike 500, a 503 implies the issue is temporary.
When you'll see it:
- The server is undergoing planned maintenance
- Traffic spikes overwhelm the server
- A dependent service (database, cache, external API) is down
- The server is restarting or deploying new code
How to fix it:
- Check if it's planned maintenance — wait for it to complete
- Scale your infrastructure — add more servers or increase capacity
- Implement a queue — handle traffic spikes gracefully
- Add a maintenance page — use the
Retry-Afterheader to tell clients when to try again - Set up monitoring — use an uptime monitoring tool to get alerted when your server goes down
503 vs 500: A 500 means something broke unexpectedly. A 503 means the server is temporarily unavailable but is expected to recover. For planned maintenance, always use 503 with a Retry-After header.
For a deeper look, see our full guide: 503 Service Unavailable Error: What Is It and How to Fix It?
13. 504 Gateway Timeout
The 504 status code means a server acting as a gateway or proxy didn't receive a response from the upstream server in time. It's similar to 502, but instead of an invalid response, there was no response at all.
When you'll see it:
- A backend server is too slow to respond
- Network issues between the proxy and the upstream server
- Long-running database queries that exceed timeout limits
How to fix it:
- Increase timeout settings on your proxy/load balancer
- Optimize slow queries or operations on the backend
- Check network connectivity between servers
- Scale backend resources — the server may need more CPU or memory
HTTP Status Codes in REST APIs
If you're building or consuming APIs, status codes are how you communicate what happened. Here are the most common patterns:
| Operation | Success Code | Common Error Codes |
|---|---|---|
| GET (read) | 200 OK | 404 Not Found, 401 Unauthorized |
| POST (create) | 201 Created | 400 Bad Request, 409 Conflict |
| PUT/PATCH (update) | 200 OK | 400 Bad Request, 404 Not Found |
| DELETE | 204 No Content | 404 Not Found, 403 Forbidden |
Best practices for API error responses:
- Always return a meaningful error message in the body, not just the status code
- Use 400 for validation errors and include which fields failed
- Use 401 when authentication is missing, 403 when it's present but insufficient
- Use 404 when the resource doesn't exist
- Use 429 when rate limiting, and include a
Retry-Afterheader - Use 500 only for unexpected server errors — never return 500 for client mistakes
Quick Reference: Complete Status Code Table
1xx — Informational
| Code | Name | Meaning |
|---|---|---|
| 100 | Continue | The server received the request headers; the client should send the body |
| 101 | Switching Protocols | The server is switching to a different protocol (e.g., WebSocket) |
2xx — Success
| Code | Name | Meaning |
|---|---|---|
| 200 | OK | The request succeeded |
| 201 | Created | A new resource was created |
| 204 | No Content | Success, but no content to return |
3xx — Redirection
| Code | Name | Meaning |
|---|---|---|
| 301 | Moved Permanently | The resource has permanently moved |
| 302 | Found | The resource has temporarily moved |
| 304 | Not Modified | The cached version is still valid |
| 307 | Temporary Redirect | Same as 302, but preserves the HTTP method |
| 308 | Permanent Redirect | Same as 301, but preserves the HTTP method |
4xx — Client Errors
| Code | Name | Meaning |
|---|---|---|
| 400 | Bad Request | The request is malformed or invalid |
| 401 | Unauthorized | Authentication is required |
| 403 | Forbidden | You don't have permission |
| 404 | Not Found | The resource doesn't exist |
| 405 | Method Not Allowed | The HTTP method isn't supported for this resource |
| 408 | Request Timeout | The server timed out waiting for the request |
| 409 | Conflict | The request conflicts with the current state |
| 410 | Gone | The resource has been permanently removed |
| 422 | Unprocessable Entity | The request is well-formed but contains semantic errors |
| 429 | Too Many Requests | Rate limit exceeded |
5xx — Server Errors
| Code | Name | Meaning |
|---|---|---|
| 500 | Internal Server Error | An unexpected server error occurred |
| 501 | Not Implemented | The server doesn't support the requested feature |
| 502 | Bad Gateway | The gateway received an invalid upstream response |
| 503 | Service Unavailable | The server is temporarily unavailable |
| 504 | Gateway Timeout | The gateway didn't receive a timely upstream response |
Conclusion
HTTP status codes are the language servers use to communicate with clients. Whether you're a developer debugging a broken API, a site owner investigating downtime, or someone wondering why a webpage won't load, understanding these codes helps you identify and fix problems faster.
The most important takeaway: 4xx codes mean the client made a mistake (fix your request), and 5xx codes mean the server has a problem (check your server). When in doubt, check your server logs for 5xx errors and your request format for 4xx errors.
For monitoring your website's HTTP responses in real-time, tools like Hyperping can alert you the moment your site starts returning error codes, so you can fix issues before your users even notice.
