How HTTP Status Codes Are Organised

HTTP status codes are grouped into five classes based on their first digit:

• 1xx — Informational: The server has received the request and is continuing the process.
• 2xx — Success: The request was successfully received, understood, and accepted.
• 3xx — Redirection: Further action is required to complete the request.
• 4xx — Client Error: The request contains an error and cannot be fulfilled.
• 5xx — Server Error: The server failed to fulfil a valid request.

You can look up any code quickly using our HTTP Status Codes reference tool, which lists every code with a plain-English explanation.

The Most Important 2xx Success Codes

200 OK — The standard success response. The request was successful and the response body contains the requested resource. This is what every page visit and successful API call should return.

201 Created — Used by REST APIs when a new resource has been created (typically in response to a POST request). Should include a Location header pointing to the new resource.

204 No Content — The request was successful but there is no response body. Common for DELETE requests and PUT requests that do not return updated data.

206 Partial Content — Used for range requests — for example, when a video player requests only a portion of a video file for streaming.

3xx Redirect Codes and SEO

301 Moved Permanently — The resource has permanently moved to a new URL. Search engines transfer the original URL's ranking signals (link equity) to the new URL over time. Use this for permanent URL changes, domain migrations, and consolidating duplicate content.

302 Found (Temporary Redirect) — The resource is temporarily at a different URL. Search engines keep the original URL indexed. Use this for A/B tests, temporary maintenance pages, or seasonal redirects that will be removed later.

304 Not Modified — The resource has not changed since the last request. The browser should use its cached version. This is used with caching headers (ETag, Last-Modified) to avoid re-downloading unchanged resources.

307 Temporary Redirect — Like 302, but explicitly preserves the HTTP method. If the original request was a POST, the redirected request must also be a POST. Use 307 instead of 302 in API contexts where the method matters.

308 Permanent Redirect — Like 301, but method-preserving. The permanent equivalent of 307.

4xx Client Error Codes

400 Bad Request — The server cannot process the request because it is malformed. Common in APIs when required parameters are missing, the JSON is invalid, or validation fails. Return this with a descriptive error message body.

401 Unauthorized — The request requires authentication. The user must log in or provide a valid API token. Despite its name, 401 specifically means "unauthenticated" — the user has not identified themselves.

403 Forbidden — The server understands the request but refuses it. The user is authenticated but does not have permission to access the resource. Different from 401 — use 403 when a logged-in user tries to access something they are not allowed to see.

404 Not Found — The requested resource could not be found. The most common error code on the web. Use 404 for pages that have never existed or pages that have been removed without a permanent replacement.

410 Gone — Like 404, but signals that the resource is permanently gone and will not return. Google deindexes 410 pages faster than 404 pages, making 410 preferable for intentionally deleted content you want removed from search results quickly.

422 Unprocessable Entity — The request is well-formed but contains semantic errors — validation failures, for example. Common in REST APIs when data is structurally valid JSON but fails business logic validation.

429 Too Many Requests — The client has sent too many requests in a given time period (rate limiting). The response should include a Retry-After header indicating when the client can try again.

5xx Server Error Codes

500 Internal Server Error — A generic server error. Something unexpected went wrong. Check your server logs for the specific exception or error message. This is the most common server error and can indicate a PHP error, database failure, or application crash.

502 Bad Gateway — The server acting as a gateway received an invalid response from an upstream server. Common when a reverse proxy (like Nginx) cannot reach your application server (like Node.js or PHP-FPM) because it crashed or is overloaded.

503 Service Unavailable — The server is temporarily unable to handle the request — usually due to maintenance or overload. Include a Retry-After header. Search engines pause crawling when they encounter 503s and resume later.

504 Gateway Timeout — The gateway server did not receive a timely response from the upstream server. Often caused by a slow database query, a slow third-party API call, or a server under heavy load.

HTTP Status Codes in REST API Design

Choosing the right status codes in your API makes it predictable and easy to use. A common pattern for REST resources:

• GET /users/123 → 200 OK (found) or 404 Not Found
• POST /users → 201 Created with a Location header
• PUT /users/123 → 200 OK or 204 No Content
• DELETE /users/123 → 204 No Content or 404 Not Found
• Validation failure → 422 Unprocessable Entity with error details
• Auth required → 401 Unauthorized
• Insufficient permissions → 403 Forbidden

Use our HTTP Status Codes tool as a quick reference next time you're deciding which code to return in your API or need to look up what an unfamiliar code means.

Quick Reference: Every Common HTTP Status Code

Code	Name	Meaning
200	OK	Request succeeded. Response body contains the result.
201	Created	New resource created. Location header points to it.
204	No Content	Success but no response body (used for DELETE, some PUT).
206	Partial Content	Partial resource delivered (range request, video streaming).
301	Moved Permanently	URL changed forever. Search engines pass ranking signals to new URL.
302	Found	Temporary redirect. Original URL stays indexed.
304	Not Modified	Use cached version — content hasn't changed.
307	Temporary Redirect	Temporary, method-preserving redirect (POST stays POST).
308	Permanent Redirect	Permanent, method-preserving redirect.
400	Bad Request	Malformed request — missing params, invalid JSON, failed validation.
401	Unauthorized	Authentication required. User not logged in.
403	Forbidden	Authenticated but not permitted. Access denied.
404	Not Found	Resource does not exist at this URL.
405	Method Not Allowed	HTTP method not supported on this endpoint.
409	Conflict	Request conflicts with current state (e.g., duplicate resource).
410	Gone	Permanently deleted. Deindexed faster than 404.
422	Unprocessable Entity	Valid JSON but fails business logic validation.
429	Too Many Requests	Rate limit exceeded. Retry-After header indicates when to retry.
500	Internal Server Error	Generic server failure — check application logs.
502	Bad Gateway	Proxy received invalid response from upstream server.
503	Service Unavailable	Server temporarily down — maintenance or overload.
504	Gateway Timeout	Upstream server did not respond in time.

HTTP Status Codes and SEO: What Developers Must Know

Search engine crawlers interpret status codes to decide what to index, what to remove, and how to allocate crawl budget:

• 200 OK — Google crawls and indexes the page normally. This is the only code that results in full indexing of the page content.
• 301 Moved Permanently — Google eventually transfers the full ranking equity ("link juice") from the old URL to the new one. This transfer is not immediate — it typically takes days to weeks and may not be 100% of the original signal.
• 302 Found — Google keeps the original URL indexed and does not transfer ranking equity. If you accidentally use a 302 for a permanent redirect, the old URL stays in the index and may outrank the new URL for your own content.
• 404 Not Found — Google removes the page from its index but may check again periodically. A page returning 404 for several consecutive crawls is removed.
• 410 Gone — Google removes the page from its index faster than a 404. Use 410 when you have deliberately removed content and want it removed from search results promptly.
• 500 / 503 — Google pauses crawling and retries later. Persistent 5xx errors eventually cause deindexing. A brief 503 during maintenance is handled gracefully; a prolonged outage is not.
• Soft 404s — A page that returns 200 OK but displays "page not found" text is a soft 404. Google detects these and may remove them from the index. Always return the correct status code that matches the actual content state.

Monitor your status codes in Google Search Console under Index → Pages. Any 4xx or 5xx errors on pages that should be indexed are worth fixing immediately.

Caching Headers That Work With Status Codes

Status codes work alongside HTTP caching headers to control how long browsers and CDNs store responses:

• Cache-Control: max-age=31536000, immutable — Cache this resource for one year. Use for versioned static assets (CSS, JS with content hash in filename).
• Cache-Control: no-cache — Must revalidate with the server before serving from cache. The cached copy is still used if the server returns 304 Not Modified.
• Cache-Control: no-store — Never cache. Use for sensitive responses like authentication tokens or payment data.
• ETag — A fingerprint of the response. The browser sends it back on the next request; if unchanged, the server returns 304 Not Modified, saving bandwidth.
• Last-Modified — Similar to ETag but uses timestamps. Less precise but widely supported.

A 304 Not Modified response is only possible when the client has a cached version and the server confirms it hasn't changed. It saves both bandwidth and server processing — every 304 is a full page render avoided.

Handling Errors in Webhooks and Background Jobs

Status codes matter not just for browser requests but for server-to-server communication. When building webhook endpoints or consuming third-party APIs:

• Always return 200 quickly — Webhook senders expect a fast 200 response. If your processing takes more than a few seconds, acknowledge with 200 immediately and process asynchronously.
• 429 handling — When you receive 429 from an API, check the Retry-After header. Implement exponential backoff: wait 1s, then 2s, then 4s, etc. Never hammer a rate-limited API in a loop.
• Distinguish 4xx from 5xx — A 4xx error means your request was wrong — retrying will fail again until you fix the request. A 5xx error means the server had a problem — retrying after a delay may succeed.
• Idempotency for retries — When retrying a POST request (after a timeout where you're not sure if the server processed it), use an idempotency key to prevent duplicate actions. Many payment APIs (Stripe, etc.) support this via an Idempotency-Key header.

Frequently Asked Questions

What is the difference between 301 and 302 redirects?

A 301 redirect is permanent — search engines transfer the original page's ranking signals to the new URL over time. A 302 redirect is temporary — search engines keep the original URL indexed and do not transfer ranking equity. Use 301 for permanent URL changes and domain migrations. Use 302 for A/B tests, temporary maintenance pages, or seasonal redirects you will remove later.

What causes a 500 Internal Server Error?

A 500 error is a generic server failure — something unexpected went wrong. Common causes: a PHP exception or fatal error, a failed database connection, a missing configuration value, or a crashed process. The specific cause is always in your server error logs (Apache error_log, Nginx error.log, or your application's log file). The response body should never expose internal details to end users.

What is the difference between 401 and 403?

401 Unauthorized means the request requires authentication — the client has not identified themselves (no token, no session, no credentials). 403 Forbidden means the client is authenticated but does not have permission to access this resource. Think of 401 as "who are you?" and 403 as "I know who you are but you're not allowed here."

Which HTTP status codes are important for SEO?

The most SEO-critical codes: 200 (normal indexing), 301 (permanent redirect — transfers ranking signals), 404 (page not found — Google eventually deindexes), 410 (permanently gone — deindexed faster than 404), and 503 (server unavailable — Google pauses crawling and retries). Also important: returning 200 with "not found" content (soft 404) is worse than returning a real 404, because Google may index an error page.

What is a soft 404 and why is it bad for SEO?

A soft 404 is when a page returns HTTP 200 OK but displays content like "page not found" or "no results." Search engines may index this content as a real page (a blank or error page). Google Search Console flags soft 404s in the Coverage report. Fix them by returning the correct 404 or 410 status code on pages with no real content.

Why does 429 have a Retry-After header?

429 Too Many Requests is a rate limiting response. The Retry-After header tells the client exactly how long to wait before retrying — either as a number of seconds or an HTTP date. Without it, clients may retry immediately and make the rate limiting problem worse. Always include Retry-After in 429 responses when building APIs, and always respect it when consuming them.

Should I return 404 or 410 for deleted content?

Use 410 Gone for content you have deliberately removed and do not want Google to recheck. 410 signals permanent deletion, and Google removes these URLs from its index faster than 404s. Use 404 when you're unsure if the content might return, or when handling URLs that never existed. For SEO purposes, 410 is better for intentionally deleted pages.