HTTP Status Codes

HTTP Status Code Reference — search every IANA code with retry guidance.

1xx

Informational

4 codes

1001xx

Continue

The initial part of a request has been received and the client should continue sending the rest of the request body, or ignore the response if the request is already complete.

1011xx

Switching Protocols

The server is switching to the protocol requested in the client's `Upgrade` header, most commonly used to upgrade an HTTP connection to a WebSocket.

1021xx

Processing

An interim status telling the client the server has accepted the request and is still processing it. Deprecated in RFC 4918 but some WebDAV servers still emit it.

1031xx

Early Hints

The server is sending link preload hints before the final response so the client can start fetching CSS, fonts, or scripts in parallel.

2xx

Success

10 codes

2002xx

OK

The request succeeded. The meaning of the response body depends on the request method (GET returns the representation, POST returns the action result, etc.).

2012xx

Created

The request succeeded and a new resource was created as a result. The response typically includes a `Location` header pointing to the new resource.

2022xx

Accepted

The request has been accepted for processing, but processing has not completed. Useful for queued or asynchronous jobs where the client should poll a status URL.

2032xx

Non-Authoritative Information

The response is a modified version of the origin's 200 OK, returned by a transforming proxy. The payload is still a valid representation but may differ from the origin.

2042xx

No Content

The server successfully processed the request and is intentionally returning no body. Typical for DELETE and for PUT updates that do not need to echo the resource.

2052xx

Reset Content

Tells the client to reset the document view that caused the request — typically clearing a form so another entry can be made.

2062xx

Partial Content

The server is delivering only part of the resource in response to a `Range` header. Used for resumable downloads, video scrubbing, and parallel fetches.

2072xx

Multi-Status

WebDAV bulk response: the body is an XML document with per-resource status codes because the outer request affected multiple resources that may have failed independently.

2082xx

Already Reported

Inside a DAV Multi-Status (207), signals that members of a binding have already been enumerated in a previous part of the response and will not be repeated.

2262xx

IM Used

The server has fulfilled a GET request and the response is a representation of the result of applying one or more instance-manipulations to the current instance.

3xx

Redirection

9 codes

3003xx

Multiple Choices

The requested resource has more than one representation, each with its own URI. The client (or user) should pick one from the list the server provides.

3013xx

Moved Permanently

The target resource has been permanently relocated to a new URI given in the `Location` header. Clients and search engines should update bookmarks and indexes.

3023xx

Found

The target resource is temporarily at a different URI. The client should follow the `Location` header for this request but keep using the original URI for future requests.

3033xx

See Other

After a POST or PUT, instructs the client to fetch a different resource with GET — the classic Post/Redirect/Get pattern that prevents duplicate form submissions on refresh.

3043xx

Not Modified

The client's cached copy is still fresh — no body is returned. Triggered by conditional requests using `If-None-Match` (ETag) or `If-Modified-Since`.

3053xx

Use Proxy

Historically asked the client to repeat the request through the proxy named in `Location`. Deprecated due to security concerns and never fully supported by browsers.

3063xx

(Unused)

Reserved — originally defined as `Switch Proxy` in a prior HTTP draft and never standardised. Clients should treat it as an unknown 3xx.

3073xx

Temporary Redirect

Identical to 302 Found except the method must not change — a POST stays a POST when the client follows the `Location`. Use instead of 302 when method preservation matters.

3083xx

Permanent Redirect

Like 301 but preserves the request method. Safer than 301 for APIs because the client cannot silently downgrade a POST to a GET.

4xx

Client Error

40 codes

4004xx

Bad Request

The server cannot process the request due to malformed syntax, invalid framing, or deceptive routing. The client must revise the request before retrying.

4014xx

Unauthorized

Authentication is required and has failed or not been provided. Semantically misnamed — it means unauthenticated, not lacking permission. Must include a `WWW-Authenticate` header.

4024xx

Payment Required

Reserved for future use. A handful of APIs (Stripe, GitHub, Shopify) use it to signal that a subscription or quota has lapsed.

4034xx

Forbidden

The server understood the request but refuses to authorize it. Unlike 401, providing credentials will not help — the identity is known but lacks permission.

4044xx

Not Found

The server cannot find the requested resource. Says nothing about whether the resource exists permanently — just that it is not there now.

4054xx

Method Not Allowed

The HTTP method is not supported for the target resource. Response must include an `Allow` header listing the supported methods.

4064xx

Not Acceptable

The server cannot produce a response matching the list of acceptable media types, languages, or encodings the client offered in its `Accept*` headers.

4074xx

Proxy Authentication Required

The client must first authenticate itself with the proxy. Similar to 401 but for proxy credentials, delivered via the `Proxy-Authenticate` header.

4084xx

Request Timeout

The server timed out waiting for the full request. The connection may be closed; the client can retry the same request on a new connection.

4094xx

Conflict

The request conflicts with the current state of the target resource — typical for concurrent edits, unique-constraint violations, or version mismatches.

4104xx

Gone

The resource is intentionally no longer available and will not come back. Stronger than 404 — tells caches and search engines to stop asking.

4114xx

Length Required

The server refuses the request because it lacks a `Content-Length` header. Relevant for HTTP/1.1 write endpoints that don't support chunked encoding.

4124xx

Precondition Failed

One or more conditional headers (`If-Match`, `If-None-Match`, `If-Unmodified-Since`) evaluated to false on the server, so the request is refused.

4134xx

Content Too Large

The request body exceeds the server's accepted limit. Formerly called `Payload Too Large`. The server may include a `Retry-After` if the limit is temporary.

4144xx

URI Too Long

The request target (URI) is longer than the server will process. Typical limits are 2–8 KB on the whole request line.

4154xx

Unsupported Media Type

The server refuses the request because the body's `Content-Type` is not supported by the endpoint.

4164xx

Range Not Satisfiable

The byte range in the client's `Range` header lies outside the resource's current size.

4174xx

Expectation Failed

The server cannot meet the requirements of the client's `Expect` header (typically `Expect: 100-continue`).

4184xx

I'm a Teapot

Defined by the Hyper Text Coffee Pot Control Protocol as the response from a teapot asked to brew coffee. Preserved in real servers as an Easter egg and sometimes used by WAFs to mark bots.

4194xx

Page Expired

Non-standard code used by the Laravel framework when a session or CSRF token has expired and the form must be resubmitted.

4204xx

Enhance Your Calm

Non-standard Twitter-era rate-limit indicator, replaced in modern systems by 429 Too Many Requests.

4214xx

Misdirected Request

The server is not configured to produce responses for the requested scheme + authority combination — common on HTTP/2 when a connection is reused for a different host.

4224xx

Unprocessable Content

The request is syntactically correct but semantically invalid — the server understood the body but cannot act on it.

4234xx

Locked

The target resource is locked by another client and cannot be modified until the lock is released or the correct lock token is supplied.

4244xx

Failed Dependency

The request failed because it depended on another request that also failed (typically inside a multi-operation WebDAV command).

4254xx

Too Early

The server is unwilling to risk processing a request that might be replayed — typically for early-data (0-RTT) requests on TLS 1.3.

4264xx

Upgrade Required

The server refuses the request using the current protocol and names the required version in the `Upgrade` header.

4284xx

Precondition Required

The origin requires the request to be conditional (e.g. carry an `If-Match` header) to prevent the 'lost update' problem.

4294xx

Too Many Requests

The client has sent too many requests in a given amount of time. The response typically includes a `Retry-After` header indicating when it is safe to try again.

4314xx

Request Header Fields Too Large

The server refuses the request because the total size of the headers (or one individual header) is too large.

4404xx

Login Time-out

IIS-specific code indicating the client's session has expired and they must sign in again.

4444xx

No Response

nginx-specific: the server closes the connection without sending any response. Used to silently drop abusive clients.

4494xx

Retry With

Legacy Microsoft code asking the client to repeat the request with additional information supplied alongside the 449 response.

4514xx

Unavailable For Legal Reasons

The resource is unavailable due to a legal demand — a court order, censorship, or takedown notice. The number is a nod to Ray Bradbury's Fahrenheit 451.

4944xx

Request Header Too Large

nginx-specific variant of 431 emitted when an individual header exceeds the `large_client_header_buffers` limit.

4954xx

SSL Certificate Error

nginx-specific: the client presented an untrusted or invalid TLS certificate during mutual TLS authentication.

4964xx

SSL Certificate Required

nginx-specific: the endpoint requires a client certificate but none was provided.

4974xx

HTTP Request Sent to HTTPS Port

nginx-specific: the client spoke plaintext HTTP to a port that is only configured for HTTPS.

4984xx

Invalid Token

Non-standard code used by Esri's ArcGIS platform to indicate an expired or malformed API token.

4994xx

Client Closed Request

nginx-specific: the client closed the connection before the server finished producing the response. Treated as a 4xx because the cause is on the client side.

5xx

Server Error

18 codes

5005xx

Internal Server Error

A generic server-side failure — the origin encountered an unexpected condition that prevented it from completing the request.

5015xx

Not Implemented

The server does not support the functionality required to fulfil the request. Retrying will not help until the server is updated.

5025xx

Bad Gateway

A gateway or proxy received an invalid response from the upstream server. Transient on most platforms — retry with backoff often succeeds.

5035xx

Service Unavailable

The server is temporarily unable to handle the request — overloaded, under maintenance, or shutting down. Usually accompanied by a `Retry-After` header.

5045xx

Gateway Timeout

A gateway or proxy timed out waiting for a response from the upstream server. Transient — retry with backoff.

5055xx

HTTP Version Not Supported

The server refuses to support the major HTTP version the client used in the request.

5065xx

Variant Also Negotiates

Transparent-negotiation misconfiguration: the chosen variant itself engages in content negotiation and cannot be a valid endpoint.

5075xx

Insufficient Storage

The server can't store the representation needed to complete the request — it has run out of disk or quota.

5085xx

Loop Detected

The server terminated an operation because it detected an infinite loop while processing a WebDAV request with Depth: infinity.

5105xx

Not Extended

Further extensions to the request are required for the server to fulfil it — the client must send a revised request.

5115xx

Network Authentication Required

The client must authenticate to gain network access — typical of captive portals on Wi-Fi hotspots that intercept traffic until the user logs in.

5205xx

Web Server Returned an Unknown Error

Cloudflare edge received an empty, unknown, or unexpected response from the origin.

5215xx

Web Server Is Down

Cloudflare cannot reach the origin server — the TCP connection was refused or reset.

5225xx

Connection Timed Out

Cloudflare timed out establishing a TCP connection to the origin.

5235xx

Origin Is Unreachable

Cloudflare cannot contact the origin server at all — DNS failure, routing issue, or IP unreachable.

5245xx

A Timeout Occurred

Cloudflare established a connection but the origin failed to return a complete HTTP response within 100 seconds.

5255xx

SSL Handshake Failed

Cloudflare and the origin could not agree on a TLS cipher suite or certificate during the handshake.

5265xx

Invalid SSL Certificate

Cloudflare cannot validate the origin's TLS certificate — typical when the cert is self-signed or issued by an untrusted CA and Full (strict) mode is on.

Loading tool…

How to use HTTP Status Codes

Type a numeric status code (e.g. 418) or a keyword (teapot, forbidden, rate limit) into the search box.
A single match expands into a detail card showing the RFC reference, common causes, and retry guidance.
Use the category tabs (1xx / 2xx / 3xx / 4xx / 5xx) to filter the grid to a single family.
Click the copy icon on any card to copy the "<code> <name>" string to your clipboard for pasting into a ticket or code comment.
Click Share to get a URL that restores the exact search and filter combination — useful for linking colleagues to a specific code.
Clear the search box to see every code grouped by category with color bands.

HTTP Status Codes — Full Reference

A searchable, color-coded reference for every HTTP status code in the IANA registry — informational, success, redirection, client error, and server error — plus the commonly encountered non-standard codes from nginx, Cloudflare, Laravel, IIS, Twitter, and Esri ArcGIS. Every code ships with its RFC reference, a plain-English description, common real-world causes, and retry guidance so you can decide whether to back off, surface the error to the user, or fix the request.

Why a dedicated HTTP status reference

Most online HTTP status lists are autogenerated tables of "404 Not Found — the resource could not be found". That is not a reference; it is a tautology. When you are on-call debugging a production incident at two in the morning, the questions you actually need answered are different: Is this error retryable? Why did the upstream proxy emit it instead of the origin? Does this code mean my idempotency key is being ignored, or that my credentials are wrong? The IANA registry page itself is a flat table with two columns and zero guidance. The RFCs have the guidance but are 200-page documents you cannot grep quickly.

This tool is the in-between layer. Every code carries a one- or two-sentence description, three to four of the most common real-world causes (based on the actual text of the defining RFC plus the vendor docs for nginx, Cloudflare, and the major cloud load balancers), and an explicit retryable / idempotent-safe flag so you can wire an HTTP client's retry policy straight from the card. The color-band grouping mirrors the mental model most engineers use — green for success, yellow for redirection, red for client error, dark red for server error — and the search box accepts either a numeric code or a keyword so you can jump straight from "rate limit" to 429 without scrolling.

What it does

Inlined IANA registry. All 63+ codes from the IANA HTTP Status Code Registry (RFC 9110, RFC 7540, RFC 6585, RFC 8297, WebDAV) are included, plus the commonly encountered non-standard codes (418, 419, 420, 440, 444, 451, 494–499, 520–526).
Search by code or keyword. Type a number (418), a reason phrase (Not Found), a fragment (teapot, forbidden, rate limit), or a category shortcut (4xx). The search runs against names, descriptions, and common causes.
Detail card for exact matches. Single-match queries expand into a large card that shows the code, name, RFC reference, full description, common-cause bullets, retry guidance, and idempotency flag.
Filterable grid. Category tabs (All / 1xx / 2xx / 3xx / 4xx / 5xx) narrow the grid to a single family. Color bands on every card match the category for at-a-glance scanning.
Per-card copy button. One click copies the "<code> <name>" string so you can paste it into an incident ticket, a PR description, or a log-filter query.
Shareable URLs. The query and category filter round-trip through the URL fragment (#s=…) so you can bookmark a filtered view or send it to a colleague. Nothing is sent to the server — fragments are client-only by design.

Retry semantics — the short version

HTTP codes fall into three retry buckets:

Retry with backoff: 408, 425, 429, 500, 502, 503, 504 — and the Cloudflare 5xx family (520, 521, 522, 523, 524). These signal a transient failure where the next attempt may succeed. Use exponential backoff with full jitter. Honour Retry-After if it is set.
Do not retry, fix the request: 400, 401, 403, 404, 405, 409, 413, 414, 415, 422, 431. The request itself is wrong — retrying the identical bytes will fail the identical way.
Retry only for idempotent methods: 501 Not Implemented and 507 Insufficient Storage. A subsequent request may succeed after the server is updated or quota is freed, but replaying a non-idempotent POST is unsafe.

Each card in the tool flags the retry bucket explicitly, plus a second flag for idempotent-safe retry so you can build a client-side policy that never retries a non-idempotent POST on a 5xx by accident.

What's not supported (yet)

HTTP/2 and HTTP/3 stream errors. Codes like REFUSED_STREAM or ENHANCE_YOUR_CALM are frame-level, not status-level — they deserve a separate tool when HTTP/3 becomes widespread enough to matter in day-to-day debugging.
Vendor-specific extended codes beyond the common set. Apache mod_security returns 406/418 with custom reason phrases; Azure Front Door invents 5xx sub-codes. The tool only ships the codes that appear in real production traffic across multiple vendors.
History / changelog. RFC 9110 deprecated a handful of phrases (413 is now "Content Too Large", not "Payload Too Large"). The tool ships current names only; if you need the historical phrase, check the RFC.

If you want to go deeper on a related area, the URL Encoder / Decoder handles query-string-level debugging, the JWT Decoder handles the Bearer-token side of 401 investigations, and the JSON Formatter handles the error bodies most 4xx responses carry.

Privacy and trust

Everything in this tool is client-side. The status registry is a TypeScript constant compiled into the page bundle; search runs against that constant in memory; no API call fires when you type. The share button encodes state into the URL fragment (#…), which browsers never transmit to servers. The repository is open source, the implementation is a single file of ~700 lines, and the component uses the same shared primitives (CopyButton, ShareButton, Badge) as every other tool on the site — no new third-party packages were added to ship this feature.

Frequently asked questions

What is the difference between HTTP 401 and 403?

401 Unauthorized means the request lacks valid authentication — the server does not yet know who you are, so sending (or refreshing) credentials may fix it. 403 Forbidden means the server has identified the caller but refuses to grant access — the identity is known but the permission is not. A good rule of thumb is "401 = log in, 403 = you are logged in but not allowed". The 401 response must also include a `WWW-Authenticate` header naming the scheme (Bearer, Basic, Digest), while a 403 response does not.

When should I retry a failed HTTP request?

Retry on transient codes — 408 Request Timeout, 425 Too Early, 429 Too Many Requests, 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, and 504 Gateway Timeout — using exponential backoff with jitter. Honour the `Retry-After` header if the server sends one. Do not retry on 4xx codes that signal a client mistake (400, 401, 403, 404, 409, 422) because the same request will fail the same way. For non-idempotent methods like POST, retry only if you can guarantee exactly-once semantics (idempotency keys) or if your 5xx retry policy is explicitly scoped to safe methods.

Is HTTP 418 I'm a Teapot a real code?

Yes and no. It was formally defined by RFC 2324 as part of the Hyper Text Coffee Pot Control Protocol (HTCPCP), an April Fools' specification published in 1998. Although the RFC is a joke, the code is preserved in the IANA HTTP Status Code Registry as a reserved "unused" code and has been implemented as an Easter egg in servers like Google's, Node.js, and Spring. Some WAF vendors (notably Cloudflare) repurpose 418 to indicate traffic they have classified as malicious or bot-driven, which is why you may occasionally see a genuine 418 from a hardened edge in front of a production origin.

What is the difference between 301 and 308 (or 302 and 307)?

All four are redirect codes. 301 (Moved Permanently) and 302 (Found, temporary) predate a strict spec on method preservation, so many clients silently turn a POST redirect into a GET. 307 (Temporary Redirect) and 308 (Permanent Redirect) were introduced later to forbid that downgrade — a POST stays a POST when the client follows the `Location` header. For API endpoints you almost always want 307 or 308 because they preserve both the method and the request body. Use 301/308 when the URL has moved for good, 302/307 when the move is temporary (maintenance, A/B routing, regional failover).

How do I implement rate limiting with HTTP 429?

Respond with 429 Too Many Requests once the client exceeds the configured rate, and include a `Retry-After` header telling the client how many seconds (or a future HTTP-date) to wait before trying again. Include explicit rate headers like `X-RateLimit-Limit`, `X-RateLimit-Remaining`, and `X-RateLimit-Reset` so well-behaved clients can pace themselves. On the server, implement a token-bucket or leaky-bucket counter keyed by API key, IP, or user ID; sliding windows are more accurate than fixed windows but cost more memory. Clients should back off exponentially with jitter on 429, never retrying faster than the `Retry-After` value.

Does this tool send my search queries anywhere?

No. The entire HTTP status code reference is inlined in the page bundle as a TypeScript constant, and every search runs against that in-memory dataset. There is no API call when you type, no analytics on your queries, and no outbound request when you click a result. The share button encodes your query and category filter into the URL fragment (#…), which browsers never transmit to servers by design, so even a shared link keeps everything client-side.