HTTP Status Code Reference

API DEVELOPER HTTP REFERENCE

About this tool

Look up every HTTP status code instantly — with plain-English descriptions, use cases and fix tips.

Look up every HTTP status code instantly — with plain-English descriptions, common causes and fix tips. Covers all 1xx, 2xx, 3xx, 4xx and 5xx codes. Free, no signup.

RT-DEV-015 · Developer Tools

Click any card to expand

How to Use the HTTP Status Code Reference

Search by code or keyword

Type a status code number or keyword to instantly filter the list. Try "404", "redirect", "forbidden", or "timeout" — results update as you type.

Filter by category

Click any category pill to show only 2xx success, 4xx client errors, etc. Active pill is highlighted in orange. Click "All" to reset.

Expand for full details

Click any card to expand the full description, common causes and fix guidance. Click again to collapse. Only one card expands at a time.

Copy any code instantly

Copy any code with one click to use in your code or documentation. The Copy Code button appears when you expand a card — click it and the code is on your clipboard.

HTTP Status Codes — The Language Between Browsers, Servers and APIs

HTTP Status Codes Explained: What Your Browser Is Actually Telling You

When Tim Berners-Lee invented the HyperText Transfer Protocol (HTTP) in 1991, the very first version — HTTP/0.9 — had just a single implicit success state: if you got a response, it worked. There was no structured way to communicate failure. That changed rapidly. By 1996, HTTP/1.0 formalised the three-digit status code system, and RFC 7231 — the modern standard that governs HTTP/1.1 — defines the complete registry of status codes still in use today across HTTP/2 and HTTP/3.

Every time your browser loads a page, fetches an image, or your mobile app calls an API, the server responds with a three-digit status code. This code tells the client exactly what happened: did the request succeed, was the resource moved, is authentication required, or did something go wrong on the server side? The three digits are not arbitrary — the first digit defines the category (1xx informational, 2xx success, 3xx redirection, 4xx client error, 5xx server error), while the remaining two digits specify the exact condition within that category.

Understanding status codes is not just academic. Every developer building REST APIs, every frontend engineer debugging a failed request in Chrome DevTools, and every DevOps engineer monitoring a production system needs to read status codes fluently. In Chrome, open DevTools, click the Network tab, and reload any page — every single request shows its status code in the Status column. A green 200 means success; amber 3xx codes are redirects; red 4xx and 5xx codes are errors that need investigation.

ASEAN's fastest-growing tech companies — Grab, Shopee, Sea Group, GoTo, and dozens of Singapore-based fintech firms — publish extensive API documentation that relies on HTTP status codes to communicate success and failure to integration partners. Shopee's Open Platform returns 200 for success, 400 for bad parameters, 429 when rate limits are hit, and 500 for server-side issues. Understanding these codes is table stakes for any developer building on ASEAN digital infrastructure.

The Difference Between 401 and 403, 301 and 302 — and Why It Matters

Two of the most commonly confused pairs of status codes are 401 vs 403 and 301 vs 302. Getting them wrong has real consequences — for API security, user experience, and SEO.

401 Unauthorized vs 403 Forbidden: Despite the name "Unauthorized", 401 actually means unauthenticated — the client has not provided credentials, has provided invalid credentials, or the credentials have expired. The server is saying: "I don't know who you are." A 403 Forbidden, by contrast, means the server knows exactly who the client is but refuses to grant access to that specific resource. The client is authenticated but not authorised. In practice: a request with no JWT token should return 401; a request with a valid JWT but insufficient permissions should return 403. Mixing these up causes confusion for API consumers and can expose information about resource existence. Singapore's GovTech API standards, which govern all Singapore government API integrations, explicitly require correct use of 401 and 403 to prevent information leakage.

301 Moved Permanently vs 302 Found: The 301 is the workhorse of web migrations. When you move from HTTP to HTTPS, change domain names, or restructure URLs, a 301 tells every browser and every search engine crawler that the resource has permanently moved. Browsers cache 301 responses — the next visit goes directly to the new URL without even checking the old one. Search engines, including Google, transfer PageRank (link equity) from the old URL to the new one.

"Google's crawlers treat a 301 redirect differently from a 302 — a 301 passes full ranking signals to the new URL, while a 302 tells Google the move might be temporary. Getting this wrong costs SEO equity."

A 302, in contrast, is temporary. Browsers do not cache it; they check the original URL every time. Search engines do not transfer ranking signals for 302 redirects — they keep the original URL in their index. Use 302 for genuine temporary scenarios: A/B testing, maintenance pages, seasonal redirects. Use 301 for permanent URL changes. The wrong choice is one of the most common technical SEO mistakes in website migrations.

Reading API Errors Like a Developer: A Practical Guide for ASEAN Dev Teams

For backend engineers and API consumers, the distinction between similar codes often determines how your code handles errors. Take 400 Bad Request vs 422 Unprocessable Entity: a 400 means the request is structurally broken — malformed JSON, invalid URL encoding, or headers the server cannot parse. A 422 means the request was parsed successfully, but the data inside it failed validation — an email field containing "not an email", a required field that is missing, or a value outside an acceptable range. Good API design returns 422 with a structured list of field-level validation errors, not a generic 400. Laravel's built-in form request validation returns 422 automatically with a JSON error body listing every failed field.

The 429 Too Many Requests has become one of the most commonly encountered status codes for ASEAN developers. Every major API gateway — from AWS API Gateway to Grab's developer platform to Singapore's MyInfo API — implements rate limiting. When you hit a 429, the correct response in your code is exponential backoff: wait before retrying, and double the wait time with each subsequent attempt. Always check the Retry-After response header, which tells you exactly how many seconds to wait. Hard-coding a fixed retry delay is an anti-pattern; it can make rate limiting worse by creating synchronised retry storms.

In load-balanced, microservices-based environments — the architecture used by Shopee, Lazada, and Tokopedia to handle millions of concurrent transactions during 11.11 (Singles' Day) peak traffic — 502 Bad Gateway and 503 Service Unavailable are the most significant operational codes. A 502 means the reverse proxy (nginx, AWS CloudFront, Cloudflare) received an invalid response from the application server behind it — typically because an application instance crashed or returned a non-HTTP response. A 503 means the server is intentionally refusing traffic — it is overloaded or in maintenance mode. Correctly instrumenting your load balancer to return 503 with a Retry-After header during planned maintenance is a mark of production-ready engineering.

For teams building their own APIs, the discipline of returning the correct status code — rather than always returning 200 with an error field in the body — dramatically improves the experience of API consumers. Tools like Postman and Insomnia, used across ASEAN development teams for API testing, display status codes prominently and trigger different test assertions based on them. The curl -I command lets you inspect status codes from any terminal without a GUI tool.

10 Facts About HTTP Status Codes

HTTP (HyperText Transfer Protocol) was invented by Tim Berners-Lee in 1991 — the first version only had a single status code (200 OK).

The 404 Not Found status code is so culturally significant that April 4 (4/04) has been informally observed as "404 Day" by web developers globally.

HTTP 451 "Unavailable For Legal Reasons" was officially added to the HTTP standard in 2015 — named after Ray Bradbury's novel Fahrenheit 451 about censorship.

The 418 "I'm a Teapot" status code is an April Fools' joke from RFC 2324 (1998) — a protocol for brewing coffee. Some servers implement it for fun.

HTTP 429 "Too Many Requests" is one of the most commonly encountered codes by ASEAN developers building against Grab, Shopee, and payment gateway APIs.

Google's Googlebot treats 301 redirects and 308 redirects as permanent — both pass PageRank, but 308 preserves the original HTTP method (POST stays POST).

HTTP 502 "Bad Gateway" typically means a reverse proxy (like nginx or AWS CloudFront) couldn't get a valid response from the upstream server behind it.

The HTTP 2xx family covers 17 defined success codes in RFC 7231 — but only 200, 201, 204, and 206 are commonly used in REST API design.

Singapore's GovTech API design standards mandate that all public government APIs return RFC 7807 problem details alongside HTTP status codes for machine-readable errors.

HTTP/3, built on QUIC (UDP-based), became standardised in 2022 — it uses the same status code numbering as HTTP/1.1 and HTTP/2 for compatibility.

Frequently Asked Questions

A 404 Not Found means the server could not locate the requested resource. The URL may have been typed incorrectly, the page may have been deleted, or it may have been moved without a redirect being set up. For site owners, it is best practice to set up 301 redirects for moved pages and return 410 Gone for content that has been permanently removed.
Despite its name, 401 Unauthorized actually means unauthenticated — the server does not know who you are because no valid credentials were provided or they have expired. A 403 Forbidden means the server knows who you are (you are authenticated) but you do not have permission to access this resource. Re-authenticating will fix a 401 but not a 403.
A 502 Bad Gateway means a reverse proxy or gateway (such as nginx, Cloudflare, or AWS CloudFront) received an invalid or no response from the backend application server it was trying to contact. The proxy itself is working — the problem is with the upstream application server. Common causes include a crashed application server, a deployment in progress, or the backend returning a non-HTTP response.
For permanent URL changes, always use 301 Moved Permanently. Google and other search engines transfer PageRank (ranking signals and link equity) through 301 redirects to the new URL. A 302 Found is for temporary redirects — search engines keep the original URL in their index and do not transfer ranking signals. Using a 302 when you intend a permanent move is one of the most common technical SEO errors in website migrations.
HTTP 429 Too Many Requests means you have exceeded the API rate limit. The server may include a Retry-After header telling you how many seconds to wait. To handle it correctly: implement exponential backoff in your code (wait before retrying, doubling the delay each attempt), cache API responses where possible to reduce call frequency, and consider requesting a higher rate limit tier if your use case requires it.
A 500 Internal Server Error is a catch-all for unhandled server-side exceptions. Common causes include an unhandled exception in application code (PHP, Node.js, Python), a database connection failure, a missing environment variable or configuration, a file permission error, or memory limits being exceeded. Always check your server error logs — never expose stack traces in the 500 response itself in production. Enable detailed error logging to a file, not to the browser output.
A 404 Not Found is ambiguous — the resource might be temporarily unavailable or permanently gone. A 410 Gone explicitly tells clients and search engines that the resource has been intentionally and permanently removed and will not return. Google deindexes 410 pages faster than 404 pages. Use 410 for deliberately deleted content (discontinued products, expired offers, deleted user accounts) to accelerate deindexing and prevent crawl budget waste.
HTTP 422 Unprocessable Entity means the server understood the request and its format was valid (it could parse the JSON, for example), but the content failed semantic validation. This is the correct code for form validation failures — an email field containing an invalid email, a required field that is absent, or a value outside acceptable bounds. The response body should include a structured list of validation errors per field. In Laravel, this is the default response code for failed form request validation.
HTTP 451 Unavailable For Legal Reasons is used when access to content has been blocked due to a legal demand — such as a government order, court injunction, DMCA copyright takedown, or geo-blocking for legal compliance. It was officially added to the HTTP standard in 2015 and is named after Ray Bradbury's novel Fahrenheit 451 about censorship. The response should ideally include a reference to the legal demand in the response body.
There are several ways: (1) Chrome DevTools — open DevTools (F12), go to the Network tab, reload the page, and the Status column shows the code for every request. (2) curl — run curl -I https://example.com in any terminal to see only the response headers including the status code. (3) Postman or Insomnia — send any request and the status code is prominently displayed in the response panel. (4) Online tools — several web-based HTTP header checkers let you check any URL from a browser.

HTTP Status Code Reference