HTTP Status Code Reference
Network
All 60+ standardized HTTP response codes from 100 Continue to 511 Network Authentication Required, with a one-line summary, RFC reference, recommended usage, and a 'pitfall' note for codes that are commonly misused (401 vs 403, 301 caching forever, 400 vs 422, etc). Filter by class (1xx informational, 2xx success, 3xx redirect, 4xx client, 5xx server) or full-text search across code, name, summary, and notes.
Matches: 61
100ContinueServer received headers; client should send the body.
RFC: RFC 9110 §15.2.1
101Switching ProtocolsServer agrees to switch protocols (e.g., HTTP/2, WebSocket).
When: WebSocket upgrade handshakes.
RFC: RFC 9110 §15.2.2
102ProcessingWebDAV: request received but no response yet.
RFC: RFC 2518
103Early HintsPreload hints sent before the final response.
When: Send Link: rel=preload for critical assets before the slow backend reply lands.
RFC: RFC 8297
200OKStandard success response with a body.
RFC: RFC 9110 §15.3.1
201CreatedResource was created; include Location header pointing to it.
When: POST that creates a new resource. Body is optional.
RFC: RFC 9110 §15.3.2
202AcceptedRequest accepted for async processing; no result yet.
When: Long-running jobs — return a status URL for the client to poll.
RFC: RFC 9110 §15.3.3
203Non-Authoritative InformationResponse was transformed by a proxy.
RFC: RFC 9110 §15.3.4
204No ContentSuccess but no body to send.
When: DELETE success, PUT with no useful body, preflight OK.
Pitfall: MUST NOT include a message body. Some libraries error if you do.
RFC: RFC 9110 §15.3.5
205Reset ContentSuccess; client should reset the document view (clear form).
RFC: RFC 9110 §15.3.6
206Partial ContentRange request was honored; partial body follows.
When: Resumable downloads, video seek.
RFC: RFC 9110 §15.3.7
207Multi-StatusWebDAV multi-resource batched results.
RFC: RFC 4918
208Already ReportedWebDAV: bindings already enumerated earlier in the response.
RFC: RFC 5842
226IM UsedDelta encoding response.
RFC: RFC 3229
300Multiple ChoicesMultiple resources match; client should pick one.
RFC: RFC 9110 §15.4.1
301Moved PermanentlyResource has a new permanent URL. Caches forever.
When: Domain migration, URL restructure.
Pitfall: Browsers cache 301 aggressively — fixing a wrong one is painful. Test with 302 first.
RFC: RFC 9110 §15.4.2
302FoundTemporary redirect (legacy semantics, method may change).
Pitfall: Historically rewrote POST→GET. Use 303 or 307 for explicit method-preservation semantics.
RFC: RFC 9110 §15.4.3
303See OtherRedirect that always becomes a GET.
When: POST/Redirect/GET pattern after form submit.
RFC: RFC 9110 §15.4.4
304Not ModifiedConditional request: cached copy is still fresh.
When: Response to If-None-Match / If-Modified-Since.
Pitfall: MUST NOT include a body.
RFC: RFC 9110 §15.4.5
307Temporary RedirectTemporary; method and body must be preserved.
RFC: RFC 9110 §15.4.8
308Permanent RedirectPermanent; method and body must be preserved.
When: POSTs that must survive a permanent move. Prefer over 301 for API endpoints.
RFC: RFC 9110 §15.4.9
400Bad RequestGeneric malformed request the server cannot parse.
Pitfall: Don't use 400 for valid syntax with bad semantics — use 422 instead.
RFC: RFC 9110 §15.5.1
401UnauthorizedAuthentication required or failed. Must include WWW-Authenticate.
Pitfall: Misnamed historically — means "unauthenticated". Use 403 for "authenticated but not allowed".
RFC: RFC 9110 §15.5.2
402Payment RequiredReserved for future use; some APIs use for billing failures.
RFC: RFC 9110 §15.5.3
403ForbiddenAuthenticated but the action is not allowed for this principal.
When: Authorization failure, geo-block, or "you cannot do this regardless of auth".
RFC: RFC 9110 §15.5.4
404Not FoundResource does not exist (or you are hiding it).
When: Often returned instead of 403 to avoid disclosing existence.
RFC: RFC 9110 §15.5.5
405Method Not AllowedResource exists but does not support this verb. MUST include Allow header.
RFC: RFC 9110 §15.5.6
406Not AcceptableNo representation matches the Accept headers.
RFC: RFC 9110 §15.5.7
407Proxy Authentication RequiredLike 401 but for proxies. Must include Proxy-Authenticate.
RFC: RFC 9110 §15.5.8
408Request TimeoutServer gave up waiting for the request to finish.
RFC: RFC 9110 §15.5.9
409ConflictRequest collides with current state (e.g., edit conflict, duplicate).
When: Unique-key violations on creation, version mismatch on update.
RFC: RFC 9110 §15.5.10
410GoneResource permanently removed with no forwarding address.
When: Use over 404 when you want crawlers/clients to drop the URL permanently.
RFC: RFC 9110 §15.5.11
411Length RequiredServer requires Content-Length and the request omitted it.
RFC: RFC 9110 §15.5.12
412Precondition FailedIf-Match / If-Unmodified-Since check failed.
When: Optimistic concurrency control on updates.
RFC: RFC 9110 §15.5.13
413Content Too LargeBody exceeds the server limit. Formerly "Payload Too Large".
RFC: RFC 9110 §15.5.14
414URI Too LongURL exceeds server limit (commonly ~8KB).
RFC: RFC 9110 §15.5.15
415Unsupported Media TypeContent-Type is not supported by this endpoint.
RFC: RFC 9110 §15.5.16
416Range Not SatisfiableRange header asks for bytes outside the resource.
RFC: RFC 9110 §15.5.17
417Expectation FailedServer cannot meet the Expect: header requirements.
RFC: RFC 9110 §15.5.18
418I'm a teapotApril-fools status (RFC 2324). Returned by some debugging or honeypot endpoints.
RFC: RFC 2324
421Misdirected RequestRequest was routed to a server that cannot produce a response (e.g., wrong SNI).
RFC: RFC 9110 §15.5.20
422Unprocessable ContentSyntactically valid but semantically incorrect (e.g., validation failure).
When: Form-level validation errors on a JSON API.
RFC: RFC 9110 §15.5.21
423LockedWebDAV: resource is locked.
RFC: RFC 4918
424Failed DependencyWebDAV: a previous request in the chain failed.
RFC: RFC 4918
425Too EarlyServer refuses replay-vulnerable early data (TLS 1.3 0-RTT).
RFC: RFC 8470
426Upgrade RequiredClient must upgrade to a different protocol. Include Upgrade header.
RFC: RFC 9110 §15.5.22
428Precondition RequiredServer requires the request to be conditional (If-Match etc).
When: APIs that demand optimistic-concurrency tokens to prevent lost updates.
RFC: RFC 6585
429Too Many RequestsRate-limited. Include Retry-After header.
RFC: RFC 6585
431Request Header Fields Too LargeSum of headers exceeds the server limit.
RFC: RFC 6585
451Unavailable For Legal ReasonsBlocked due to legal demand (Fahrenheit 451 reference).
RFC: RFC 7725
500Internal Server ErrorUnhandled exception or generic server crash.
Pitfall: Never expose stack traces — log them server-side only.
RFC: RFC 9110 §15.6.1
501Not ImplementedServer does not support the requested method at all.
RFC: RFC 9110 §15.6.2
502Bad GatewayUpstream returned an invalid response to the gateway.
When: Load balancer cannot reach origin; origin returned junk.
RFC: RFC 9110 §15.6.3
503Service UnavailableServer temporarily down or overloaded. Should include Retry-After.
RFC: RFC 9110 §15.6.4
504Gateway TimeoutGateway gave up waiting for upstream.
RFC: RFC 9110 §15.6.5
505HTTP Version Not SupportedServer does not support the HTTP version in the request.
RFC: RFC 9110 §15.6.6
506Variant Also NegotiatesTransparent content negotiation is misconfigured.
RFC: RFC 2295
507Insufficient StorageWebDAV: server cannot store the representation.
RFC: RFC 4918
508Loop DetectedWebDAV: infinite loop while processing.
RFC: RFC 5842
510Not ExtendedFurther extensions required to fulfill the request.
RFC: RFC 2774
511Network Authentication RequiredCaptive portal: log in to the network first.
When: Public Wi-Fi splash pages.
RFC: RFC 6585
How to use
- Type a code, name, or any word in the search bar (e.g. "redirect", "rate limit", "422").
- Optionally filter by class with the colored chips.
- Read summary, when-to-use, common pitfalls, and the RFC reference for each match.
Frequently asked questions
- Why call out a 'pitfall' for some codes?
- A handful of status codes are routinely misapplied. 401 means 'unauthenticated' but reads like 'unauthorized'; 301 caches in browsers effectively forever; 400 vs 422 is constantly fought over. These notes flag the specific traps that bite teams in code review or post-incident.
- Are WebDAV codes included?
- Yes — 102, 207, 208, 423, 424, 507, 508 are listed with their RFC. Even if you don't use WebDAV, libraries and proxies sometimes surface them, so it's worth knowing what they mean.
- What about non-standard codes (like Cloudflare's 520-527)?
- Vendor-specific codes (Cloudflare 520-527, AWS' 460/463, IIS' 440) are excluded — they're not in any RFC and meanings differ by vendor. Look those up in the specific vendor's docs.
- Why is the 'when to use' field empty for some codes?
- If the code is trivially named (200 OK, 500 Internal Server Error) or only ever appears in special contexts, the summary alone is enough. The when/pitfall fields only show when there's a real call-it-out story.
Related tools
URL Query Builder
Build URLs by combining a base address with editable key-value query parameters — each pair toggleable, properly percent-encoded.
IP Address Inspector
Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.
Port Number Reference
Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).
DNS Record Reference
Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.
Subnet Calculator (IPv4 / CIDR)
Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.
User Agent Parser
Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.