HTTP Status Codes: The Complete Guide

How HTTP Status Codes Are Organised

HTTP status codes are grouped into five classes based on their first digit:

• 1xx — Informational: The server has received the request and is continuing the process.
• 2xx — Success: The request was successfully received, understood, and accepted.
• 3xx — Redirection: Further action is required to complete the request.
• 4xx — Client Error: The request contains an error and cannot be fulfilled.
• 5xx — Server Error: The server failed to fulfil a valid request.

You can look up any code quickly using our HTTP Status Codes reference tool, which lists every code with a plain-English explanation.

The Most Important 2xx Success Codes

200 OK — The standard success response. The request was successful and the response body contains the requested resource. This is what every page visit and successful API call should return.

201 Created — Used by REST APIs when a new resource has been created (typically in response to a POST request). Should include a Location header pointing to the new resource.

204 No Content — The request was successful but there is no response body. Common for DELETE requests and PUT requests that do not return updated data.

206 Partial Content — Used for range requests — for example, when a video player requests only a portion of a video file for streaming.

3xx Redirect Codes and SEO

301 Moved Permanently — The resource has permanently moved to a new URL. Search engines transfer the original URL's ranking signals (link equity) to the new URL over time. Use this for permanent URL changes, domain migrations, and consolidating duplicate content.

302 Found (Temporary Redirect) — The resource is temporarily at a different URL. Search engines keep the original URL indexed. Use this for A/B tests, temporary maintenance pages, or seasonal redirects that will be removed later.

304 Not Modified — The resource has not changed since the last request. The browser should use its cached version. This is used with caching headers (ETag, Last-Modified) to avoid re-downloading unchanged resources.

307 Temporary Redirect — Like 302, but explicitly preserves the HTTP method. If the original request was a POST, the redirected request must also be a POST. Use 307 instead of 302 in API contexts where the method matters.

308 Permanent Redirect — Like 301, but method-preserving. The permanent equivalent of 307.

4xx Client Error Codes

400 Bad Request — The server cannot process the request because it is malformed. Common in APIs when required parameters are missing, the JSON is invalid, or validation fails. Return this with a descriptive error message body.

401 Unauthorized — The request requires authentication. The user must log in or provide a valid API token. Despite its name, 401 specifically means "unauthenticated" — the user has not identified themselves.

403 Forbidden — The server understands the request but refuses it. The user is authenticated but does not have permission to access the resource. Different from 401 — use 403 when a logged-in user tries to access something they are not allowed to see.

404 Not Found — The requested resource could not be found. The most common error code on the web. Use 404 for pages that have never existed or pages that have been removed without a permanent replacement.

410 Gone — Like 404, but signals that the resource is permanently gone and will not return. Google deindexes 410 pages faster than 404 pages, making 410 preferable for intentionally deleted content you want removed from search results quickly.

422 Unprocessable Entity — The request is well-formed but contains semantic errors — validation failures, for example. Common in REST APIs when data is structurally valid JSON but fails business logic validation.

429 Too Many Requests — The client has sent too many requests in a given time period (rate limiting). The response should include a Retry-After header indicating when the client can try again.

5xx Server Error Codes

500 Internal Server Error — A generic server error. Something unexpected went wrong. Check your server logs for the specific exception or error message. This is the most common server error and can indicate a PHP error, database failure, or application crash.

502 Bad Gateway — The server acting as a gateway received an invalid response from an upstream server. Common when a reverse proxy (like Nginx) cannot reach your application server (like Node.js or PHP-FPM) because it crashed or is overloaded.

503 Service Unavailable — The server is temporarily unable to handle the request — usually due to maintenance or overload. Include a Retry-After header. Search engines pause crawling when they encounter 503s and resume later.

504 Gateway Timeout — The gateway server did not receive a timely response from the upstream server. Often caused by a slow database query, a slow third-party API call, or a server under heavy load.

HTTP Status Codes in REST API Design

Choosing the right status codes in your API makes it predictable and easy to use. A common pattern for REST resources:

• GET /users/123 → 200 OK (found) or 404 Not Found
• POST /users → 201 Created with a Location header
• PUT /users/123 → 200 OK or 204 No Content
• DELETE /users/123 → 204 No Content or 404 Not Found
• Validation failure → 422 Unprocessable Entity with error details
• Auth required → 401 Unauthorized
• Insufficient permissions → 403 Forbidden

Use our HTTP Status Codes tool as a quick reference next time you're deciding which code to return in your API or need to look up what an unfamiliar code means.

Frequently Asked Questions

What is the difference between 301 and 302 redirects?

A 301 redirect is permanent — search engines transfer the original page's ranking signals to the new URL. A 302 redirect is temporary — search engines keep the original URL indexed. Use 301 for permanent URL changes and 302 for temporary moves.

What causes a 500 Internal Server Error?

A 500 error means something went wrong on the server — a PHP error, a failed database query, a configuration mistake, or a crashed application. The server logs will contain the specific error. It is the server equivalent of an unknown error.

What is the difference between 401 and 403?

401 Unauthorized means the request requires authentication — the user needs to log in. 403 Forbidden means the server understands the request but refuses it — the user is authenticated but doesn't have permission.

Which HTTP status codes are important for SEO?

200 (OK), 301 (Permanent Redirect), 404 (Not Found), and 410 (Gone) are the most SEO-relevant. 301 passes link equity to new URLs. 404 tells Google the page is gone but may come back. 410 signals permanent removal, which can speed up deindexing.