HTTP Status Codes Cheat Sheet

Q: What are the 5 types of HTTP status codes?

The five types of HTTP status codes are: 1xx (Informational) - the request was received and processing continues; 2xx (Success) - the request was successfully received, understood, and accepted; 3xx (Redirection) - further action is needed to complete the request; 4xx (Client Error) - the request contains bad syntax or cannot be fulfilled; 5xx (Server Error) - the server failed to fulfill a valid request. Each category serves a distinct purpose in the HTTP request-response cycle.

Q: What is the most common HTTP status code?

The most common HTTP status code is 200 OK, which indicates that the request has succeeded. For error codes, 404 Not Found is the most commonly encountered, occurring when a requested page or resource does not exist on the server. Other frequently seen codes include 301 Moved Permanently (for redirects), 500 Internal Server Error (for server-side failures), and 304 Not Modified (for cached resources).

Q: How many HTTP status codes are there?

There are approximately 63 officially defined HTTP status codes registered with IANA (Internet Assigned Numbers Authority), spanning the five categories from 1xx to 5xx. However, the HTTP specification reserves the entire range from 100-599, meaning servers can use unregistered codes. The most commonly used subset is around 20-30 codes that cover the vast majority of web interactions, including 200, 201, 204, 301, 302, 304, 400, 401, 403, 404, 500, 502, and 503.

Q: What is the difference between 401 and 403?

401 Unauthorized means the client has not provided valid authentication credentials - the user needs to log in or provide a valid API key. The server does not know who the client is. 403 Forbidden means the server knows who the client is (they may be authenticated) but they do not have permission to access the requested resource. In short: 401 = 'Who are you? Please authenticate.' 403 = 'I know who you are, but you are not allowed to access this.'

Q: What does HTTP status code 0 mean?

HTTP status code 0 is not an official HTTP status code defined in any RFC. It typically appears in client-side code (like JavaScript fetch or XMLHttpRequest) when the request never reached the server at all. Common causes include: CORS (Cross-Origin Resource Sharing) errors blocking the request, network connectivity issues, DNS resolution failures, the request being cancelled by the browser, or ad blockers/browser extensions intercepting the request. To debug a status 0 error, check the browser's developer console for CORS or network errors.

Q: What is the http-status-codes npm package?

The http-status-codes npm package is a popular Node.js library that provides constants and utility functions for HTTP status codes. Instead of using magic numbers like res.status(404), you can write res.status(StatusCodes.NOT_FOUND), making your code more readable and less error-prone. It includes enums for all standard status codes, reason phrases, and helper methods. Install it with 'npm install http-status-codes' and import like: import { StatusCodes, ReasonPhrases } from 'http-status-codes'.

📚 Complete HTTP Status Codes List

All standard HTTP response status codes organized by category. Codes with detailed guides link directly to their full reference page.

Code	Name	Description	Details
1xx — Informational
100	Continue	The server has received the request headers and the client should proceed to send the request body.
101	Switching Protocols	The server is switching protocols as requested by the client (e.g., upgrading to WebSocket).	Full guide →
102	Processing	The server has received the request and is still processing it (WebDAV). Prevents client timeout.
103	Early Hints	Used to preload resources with Link headers while the server prepares the final response.	Full guide →
2xx — Success
200	OK	The request succeeded. The meaning depends on the HTTP method: GET returns the resource, POST returns the result of the action.	Full guide →
201	Created	The request succeeded and a new resource was created. Typically returned after POST or PUT requests.	Full guide →
202	Accepted	The request has been accepted for processing, but processing has not been completed. Used for async operations.	Full guide →
203	Non-Authoritative Information	The response has been modified by a transforming proxy. The original server returned 200 OK.
204	No Content	The server successfully processed the request but returns no body. Common for DELETE operations and form submissions.	Full guide →
205	Reset Content	The server processed the request and the client should reset the document view (e.g., clear form fields).
206	Partial Content	The server is delivering only part of the resource due to a Range header sent by the client. Used for resumable downloads.	Full guide →
3xx — Redirection
300	Multiple Choices	The request has more than one possible response. The user or user agent should choose one of them.
301	Moved Permanently	The URL of the requested resource has been changed permanently. The new URL is given in the response. SEO value transfers.	Full guide →
302	Found	The resource is temporarily at a different URI. The client should continue to use the original URI for future requests.	Full guide →
303	See Other	The server directs the client to get the resource at another URI with a GET request. Often used after POST to prevent resubmission.	Full guide →
304	Not Modified	The resource has not been modified since the last request. The client can use its cached version. No body is sent.	Full guide →
307	Temporary Redirect	The resource is temporarily at a different URI. Unlike 302, the HTTP method must not change (POST stays POST).	Full guide →
308	Permanent Redirect	The resource has permanently moved. Unlike 301, the HTTP method must not change. POST stays POST.	Full guide →
4xx — Client Error
400	Bad Request	The server cannot process the request due to malformed syntax, invalid request framing, or deceptive routing.	Full guide →
401	Unauthorized	Authentication is required and has either failed or not been provided. The client must authenticate itself.	Full guide →
402	Payment Required	Reserved for future use. Some services use it to indicate that the resource requires payment or a subscription.
403	Forbidden	The server understood the request but refuses to authorize it. Unlike 401, re-authenticating will not help.	Full guide →
404	Not Found	The server cannot find the requested resource. This is the most common error on the web. The URL may be wrong or the page deleted.	Full guide →
405	Method Not Allowed	The request method is known by the server but is not supported for the target resource (e.g., DELETE on a read-only resource).	Full guide →
406	Not Acceptable	The server cannot produce a response matching the Accept headers sent by the client (content negotiation failure).
408	Request Timeout	The server timed out waiting for the request. The client took too long to send the complete request.	Full guide →
409	Conflict	The request conflicts with the current state of the server. Common with concurrent updates or duplicate entries.	Full guide →
410	Gone	The resource is permanently gone and will not be available again. Stronger signal than 404 for search engines to deindex.	Full guide →
411	Length Required	The server refuses the request because the Content-Length header is not defined and the server requires it.
413	Payload Too Large	The request body is larger than the server is willing or able to process. Adjust upload limits or compress the payload.	Full guide →
414	URI Too Long	The URI requested by the client is longer than the server is willing to interpret. Use POST with a body instead.
415	Unsupported Media Type	The server refuses the request because the payload format is not supported. Check the Content-Type header.	Full guide →
418	I'm a Teapot	An April Fools' joke from RFC 2324. The server refuses to brew coffee because it is a teapot. Sometimes used as an Easter egg.	Full guide →
422	Unprocessable Entity	The server understands the content type and syntax but cannot process the contained instructions (e.g., validation errors).	Full guide →
429	Too Many Requests	The user has sent too many requests in a given amount of time (rate limiting). Check the Retry-After header.	Full guide →
451	Unavailable For Legal Reasons	The resource is unavailable due to legal demands (e.g., government censorship, DMCA takedown, GDPR).	Full guide →
5xx — Server Error
500	Internal Server Error	The server encountered an unexpected condition that prevented it from fulfilling the request. Check server logs.	Full guide →
501	Not Implemented	The server does not support the functionality required to fulfill the request (e.g., unrecognized HTTP method).	Full guide →
502	Bad Gateway	The server acting as a gateway received an invalid response from an upstream server. Common with reverse proxies and load balancers.	Full guide →
503	Service Unavailable	The server is not ready to handle the request. Common during maintenance, overload, or deployment. Check Retry-After header.	Full guide →
504	Gateway Timeout	The gateway server did not receive a timely response from the upstream server. The upstream is too slow or unreachable.	Full guide →
511	Network Authentication Required	The client needs to authenticate to gain network access (e.g., captive portal at a hotel or airport Wi-Fi).	Full guide →

🌳 When to Use Which Status Code

Not sure which HTTP status code to return from your API? Use this decision tree to pick the right one.

Did the request succeed?

Yes, and returning data → 200 OK
Yes, and a new resource was created → 201 Created (include Location header)
Yes, but processing will happen later → 202 Accepted
Yes, but there is no body to return → 204 No Content

Does the resource exist elsewhere?

Moved permanently (update your bookmark) → 301 Moved Permanently
Temporarily at another URL → 302 Found or 307 Temporary Redirect
After POST, redirect to the result via GET → 303 See Other
Resource has not changed (caching) → 304 Not Modified

Is the problem with the client's request?

Malformed syntax or invalid parameters → 400 Bad Request
No valid credentials provided → 401 Unauthorized
Authenticated but lacks permission → 403 Forbidden
Resource does not exist → 404 Not Found
Wrong HTTP method for this endpoint → 405 Method Not Allowed
Duplicate entry or version conflict → 409 Conflict
Resource permanently deleted → 410 Gone
Valid syntax but fails validation (e.g., missing required field) → 422 Unprocessable Entity
Rate limit exceeded → 429 Too Many Requests

Is it a server-side problem?

Unexpected crash or unhandled exception → 500 Internal Server Error
Upstream server returned an invalid response → 502 Bad Gateway
Server is down for maintenance or overloaded → 503 Service Unavailable
Upstream server took too long to respond → 504 Gateway Timeout

🚀 Common REST API Response Patterns

Standard HTTP status codes to return for each REST API method. Following these conventions makes your API predictable and easier to consume.

GET

Retrieve a resource

200 Resource found and returned
304 Not modified (cached)
404 Resource not found
401 Not authenticated
403 Not authorized

POST

Create a new resource

201 Resource created
202 Accepted (async)
400 Invalid request body
409 Duplicate / conflict
422 Validation failed

PUT / PATCH

Update a resource

200 Updated, returning body
204 Updated, no body
400 Invalid request
404 Resource not found
409 Version conflict
422 Validation failed

DELETE

Remove a resource

204 Deleted successfully
200 Deleted, returning body
404 Resource not found
401 Not authenticated
403 Not authorized

Frequently Asked Questions

Common questions about HTTP status codes, answered for developers and non-developers alike.

What are the 5 types of HTTP status codes? +

The five categories of HTTP status codes are:

1xx Informational — The request was received and the server is continuing to process it. Examples: 101 Switching Protocols, 103 Early Hints.
2xx Success — The request was successfully received, understood, and accepted. Examples: 200 OK, 201 Created, 204 No Content.
3xx Redirection — Further action is needed to complete the request. Examples: 301 Moved Permanently, 302 Found, 304 Not Modified.
4xx Client Error — The request contains bad syntax or cannot be fulfilled. Examples: 400 Bad Request, 401 Unauthorized, 404 Not Found.
5xx Server Error — The server failed to fulfill a valid request. Examples: 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable.

What is the most common HTTP status code? +

The most common HTTP status code is 200 OK, which is returned for every successful page load, API response, and resource fetch. It makes up the vast majority of HTTP responses on the internet.

For error responses, 404 Not Found is the most commonly encountered, appearing when a page has been deleted, moved without a redirect, or a URL was mistyped. Other frequently seen codes include 301 Moved Permanently (redirects), 304 Not Modified (caching), and 500 Internal Server Error (server failures).

How many HTTP status codes are there? +

There are approximately 63 officially registered HTTP status codes maintained by IANA (the Internet Assigned Numbers Authority), spanning five categories from 1xx to 5xx. However, the HTTP specification reserves the entire range from 100 to 599, which means servers can technically use any number in that range.

In practice, most web applications use only 20–30 of these codes. The most critical ones to know are: 200, 201, 204, 301, 302, 304, 400, 401, 403, 404, 422, 429, 500, 502, and 503.

What is the difference between 401 and 403? +

401 Unauthorized means the client has not provided valid authentication credentials. The server does not know who the client is. The response includes a WWW-Authenticate header telling the client how to authenticate. Think of it as: "Who are you? Please log in."

403 Forbidden means the server knows who the client is (they may already be authenticated) but they do not have permission to access the requested resource. Re-authenticating will not help. Think of it as: "I know who you are, but you are not allowed here."

Quick rule: Use 401 when there are no credentials or they are invalid. Use 403 when the user is authenticated but lacks authorization for the specific resource.

What does HTTP status code 0 mean? +

HTTP status code 0 is not an official HTTP status code defined in any RFC. It appears in client-side code (JavaScript fetch, XMLHttpRequest, or tools like cURL) when the request never reached the server at all.

Common causes include:
• CORS errors — The browser blocked the cross-origin request
• Network failure — No internet connection or DNS resolution failed
• Request aborted — The request was cancelled by the user or code
• Ad blockers / extensions — Browser extensions intercepted the request
• Mixed content — HTTPS page trying to load HTTP resource

To debug, open the browser developer console (F12) and check the Network tab and Console tab for CORS or network error messages.

What is the http-status-codes npm package? +

The http-status-codes npm package is a popular Node.js library that provides named constants for all HTTP status codes, replacing magic numbers in your code. Instead of writing res.status(404), you write res.status(StatusCodes.NOT_FOUND), making code more readable and less error-prone.

Install it with: npm install http-status-codes

Usage example:
import { StatusCodes, ReasonPhrases } from 'http-status-codes';
res.status(StatusCodes.NOT_FOUND).json({ error: ReasonPhrases.NOT_FOUND });

The package includes enums for all standard status codes, human-readable reason phrases, and helper methods like getReasonPhrase(404) which returns "Not Found". It has zero dependencies and is widely used in Express.js and NestJS projects.