HTTP status codes are three-digit numbers that servers return to indicate the result of a client’s request. They are defined in the HTTP specification and grouped into five classes by the first digit, each representing a different type of response.
How HTTP Status Codes Work
When a client sends an HTTP request to a server, the server processes it and returns a response with a status code and an optional message body. The status code tells the client whether the request succeeded, failed, or needs additional action.
Client Server │ │ ├────── HTTP Request ─────────►│ │ ├── Process request │ │ │◄───── HTTP Response ─────────┤ │ 200 OK │ │ 404 Not Found │ │ 500 Internal Error │Status Code Classes
| Class | Range | Meaning | Example |
|---|---|---|---|
| 1xx | 100-199 | Informational | 101 Switching Protocols |
| 2xx | 200-299 | Successful | 200 OK |
| 3xx | 300-399 | Redirection | 301 Moved Permanently |
| 4xx | 400-499 | Client Error | 404 Not Found |
| 5xx | 500-599 | Server Error | 500 Internal Server Error |
| Best for | Understanding response category | Quick triage | First-line debugging |
Common Status Codes
| Code | Name | Meaning |
|---|---|---|
| 200 | OK | Request succeeded |
| 201 | Created | Resource created successfully |
| 301 | Moved Permanently | Resource has new permanent URL |
| 400 | Bad Request | Malformed request syntax |
| 401 | Unauthorized | Authentication required |
| 403 | Forbidden | Authenticated but not allowed |
| 404 | Not Found | Resource does not exist |
| 429 | Too Many Requests | Rate limit exceeded |
| 500 | Internal Server Error | Server encountered unexpected condition |
| 502 | Bad Gateway | Upstream server returned invalid response |
| 503 | Service Unavailable | Server temporarily overloaded or down |
| 504 | Gateway Timeout | Upstream server did not respond in time |
When to Use HTTP Status Codes
Use standard HTTP status codes when you need to:
- Indicate request success or failure clearly
- Enable automated handling by clients and proxies
- Follow REST API conventions
- Integrate with monitoring and alerting tools
- Maintain compatibility with HTTP clients and libraries
When Not to Use HTTP Status Codes
Do not rely solely on status codes when you need to:
- Convey detailed error context (use response body instead)
- Support non-HTTP protocols (gRPC, WebSocket)
- Communicate application-specific error semantics without a body
Signals You Need to Understand HTTP Status Codes
- API integrations return unexpected errors
- Monitoring dashboards show 4xx or 5xx spikes
- Users report broken pages or failed transactions
- Debugging network requests in browser DevTools
- Configuring load balancer health checks
Status Code Reference
1xx Informational:
- 100 Continue: Server received headers, client should send body
- 101 Switching Protocols: Upgrading to WebSocket or other protocol
- 102 Processing: Server is processing but no response yet (WebDAV)
2xx Successful:
- 200 OK: Standard success response
- 201 Created: New resource created (POST)
- 202 Accepted: Request accepted for async processing
- 204 No Content: Success but no response body
- 206 Partial Content: Range request fulfilled partially
3xx Redirection:
- 301 Moved Permanently: Resource moved, update future requests
- 302 Found: Temporary redirect
- 304 Not Modified: Cached version is still valid
- 307 Temporary Redirect: Same method, temporary redirect
- 308 Permanent Redirect: Same method, permanent redirect
4xx Client Error:
- 400 Bad Request: Invalid syntax or parameters
- 401 Unauthorized: Missing or invalid credentials
- 403 Forbidden: Valid credentials but insufficient permissions
- 404 Not Found: Resource does not exist at this URL
- 405 Method Not Allowed: Wrong HTTP method for this endpoint
- 408 Request Timeout: Client did not produce request in time
- 409 Conflict: Request conflicts with current state
- 410 Gone: Resource permanently deleted
- 422 Unprocessable Entity: Semantic validation failed
- 429 Too Many Requests: Rate limit exceeded
5xx Server Error:
- 500 Internal Server Error: Generic server failure
- 501 Not Implemented: Server does not support requested functionality
- 502 Bad Gateway: Upstream server returned invalid response
- 503 Service Unavailable: Server temporarily cannot handle request
- 504 Gateway Timeout: Upstream did not respond in time
Metrics and Measurement
- 4xx rate: Percentage of requests with client errors (target: <5% of total)
- 5xx rate: Percentage of requests with server errors (target: <0.1% of total)
- Time to first status: Time until a status code is returned (target: <200ms p95)
Industry benchmarks:
- Average 4xx rate on the web: 3-7% of all requests (HTTP Archive, 2025)
- Average 5xx rate on the web: 0.5-2% of all requests (HTTP Archive, 2025)
- 404 is the most common 4xx code, accounting for 80%+ of client errors (HTTP Archive, 2025)
Common Mistakes and Fixes
Mistake: Returning 500 for client input validation errors Fix: Use 400 Bad Request or 422 Unprocessable Entity for invalid client input
Mistake: Using 200 OK for errors and relying on response body alone Fix: Always use the correct status code class. Status codes are machine-readable; bodies are not.
Mistake: Exposing stack traces in 500 error responses Fix: Return a generic error message in production and log the details server-side
Mistake: Not distinguishing between 401 and 403 Fix: 401 means “not authenticated.” 403 means “authenticated but not authorized.”
HTTP Status Codes Use Cases
Web Applications
Browsers interpret status codes to render error pages, follow redirects, and cache resources. A 301 triggers automatic URL updates. A 404 shows a user-friendly error page.
REST APIs
APIs use status codes to communicate success (200, 201), client mistakes (400, 404), and server problems (500, 503). Clients use the status code to determine how to handle the response.
CDN and Reverse Proxies
CDNs interpret 3xx codes to follow redirects, cache 200/301 responses, and bypass cache for 4xx/5xx. They generate 502/504 when the origin is unreachable.
Load Balancers
Health checks expect 200 OK to mark a server healthy. Any 4xx or 5xx response causes the server to be removed from rotation.
Frequently Asked Questions
What is the difference between 401 and 403? 401 Unauthorized means the client has not provided valid credentials. 403 Forbidden means the client is authenticated but lacks permission for the resource.
When should I use 400 vs 422? Use 400 for malformed syntax (invalid JSON, missing required fields). Use 422 when the syntax is valid but the content violates business rules.
How does a browser handle a 301 redirect? The browser automatically follows the new URL provided in the Location header and updates bookmarks and cached links to the new address.
Is 429 always about rate limiting? 429 Too Many Requests is specifically for rate limiting. The response should include a Retry-After header indicating when the client can retry.
What happens if I get a 502 error? The server acting as a gateway or proxy received an invalid response from an upstream server. This typically indicates the upstream server is down or misconfigured.
Can a status code be non-standard? Yes. Custom status codes can be used, but they must be in the 1xx-5xx range. Clients may not handle them correctly unless documented.
What is the difference between 302 and 307? 302 allows the browser to change the request method (e.g., POST to GET). 307 preserves the original method and body. Both are temporary redirects.
Why do I see status code 0 in browser DevTools? Status code 0 means the browser never received a response. This typically indicates a network error, CORS failure, or the request was cancelled.
How do I debug a 500 error? Check server logs for stack traces, verify recent deployments, examine request payload for edge cases, and test the endpoint in isolation.
What is a 304 Not Modified response? The server tells the client that the cached version of the resource is still valid. The client uses its local cache instead of downloading again.
How This Applies in Practice
HTTP status codes are the universal language of web communication. Every request your browser, mobile app, or API client makes receives one. Understanding them means you can diagnose problems without opening a single log file — the status code alone often tells you whether the issue is on your side (4xx) or the server’s (5xx).
Teams configure monitoring alerts around status codes: a spike in 5xx errors triggers an immediate response, while elevated 4xx rates may indicate a client-side bug or a misconfigured integration.
How to Implement on Azion
Azion enables you to monitor, log, and respond to HTTP status codes at the edge:
- Monitor Status Codes: Use Azion Metrics to track 2xx, 4xx, and 5xx rates for all applications
- Set Alerts: Configure alerts for 5xx rate thresholds to detect origin problems early
- Custom Error Pages: Use Azion’s error response configuration to return custom content for 4xx and 5xx responses
- Log Analysis: Export request logs with status codes to your analytics platform via Azion Data Streaming
Learn more in the Azion Documentation.
Sources:
- IETF. “HTTP Semantics.” RFC 9110. 2022.
- IETF. “HTTP Caching.” RFC 9111. 2022.
- IETF. “HTTP Status Codes.” RFC 9110, Section 15. 2022.
- HTTP Archive. “Web Almanac: HTTP.” 2025.
- MDN Web Docs. “HTTP response status codes.” 2026.