HTTP Status Codes Every Developer Should Know
June 19, 2026 · DevTools
Every HTTP response carries a three-digit status code. They look arbitrary, but they follow one simple rule: the first digit is the class, the rest narrow it down. Learn the classes and most codes explain themselves.
For a specific code's full meaning, open it on the HTTP Status Codes reference.
The five classes
| Class | Means | Mnemonic |
|---|---|---|
| 1xx | Informational | "hold on" |
| 2xx | Success | "here you go" |
| 3xx | Redirection | "go over there" |
| 4xx | Client error | "you messed up" |
| 5xx | Server error | "I messed up" |
The ones you meet daily
200 OK — the request succeeded. For a GET, the body is your data.
201 Created — a POST that made a new resource. The response usually includes the new item (and ideally a Location header).
204 No Content — success, but nothing to return. Common for DELETE or a PUT that needs no body.
301 Moved Permanently — the URL changed for good. Browsers and search engines cache this and update their links.
302 Found — a temporary redirect. Use sparingly for permanent moves; it confuses SEO.
304 Not Modified — your cached copy is still good, no need to re-download. Driven by ETag/If-None-Match headers.
400 Bad Request — malformed input (broken JSON, missing required field). The client sent something the server cannot parse.
401 Unauthorized — really "unauthenticated." You are not logged in, or your token is missing/invalid. (See our JWT guide for how tokens carry auth.)
403 Forbidden — you are authenticated, but not allowed. Your identity is known; the permission is denied.
404 Not Found — the resource does not exist (or the server will not tell you it does). Returning 404 instead of 401 for a private resource avoids leaking its existence.
409 Conflict — the request clashes with current state (duplicate email, stale version).
429 Too Many Requests — you are being rate-limited. Slow down; honor Retry-After.
500 Internal Server Error — the server threw up. Something broke server-side; check logs.
502 Bad Gateway / 503 Service Unavailable / 504 Gateway Timeout — infrastructure problems: an upstream failed, the service is down or overloaded, or a proxy timed out waiting for it.
Mistakes people make
- Treating 401 and 403 as synonyms. 401 = "who are you?", 403 = "I know who you are, and no."
- Returning 200 with an error in the body. A failed request should be a 4xx/5xx; HTTP status is the contract, not a payload field.
- Using 302 for permanent moves. That breaks link-credit flow to search engines; use 301.
- Blaming the server for a 4xx. If it starts with 4, the request was the problem — fix the client.
- Confusing 404 with 410. 410 Gone means "existed once, intentionally removed"; 404 just means "not here."
CORS is not a status code, but it acts like one
A failed CORS check shows up in the browser as a red error, often with an opaque response that looks like a network failure. The status from the server may be fine — the browser just refused to hand the response to your JavaScript. The CORS Validator tells you which headers are missing, and you can craft the exact request with the HTTP Request Builder.
For any code not covered here, the HTTP Status Codes reference has the full list, one page per code.