HTTP status code reference — meanings, causes, and fixes for APIs, SEO, and ops

The server received the request headers and is ready for the client to send the request body.

Typical causes

Expect: 100-continue handshakes on large uploads; some proxies or APIs require an initial header round-trip.

What to do next

If you did not intend chunked or expect-continue behavior, remove Expect headers or align with your API contract. Most browser page loads never surface 100 in DevTools as a final status.

The server agrees to change protocols—most often HTTP to WebSocket after a valid upgrade request.

Typical causes

WebSocket upgrade, HTTP/2 upgrade negotiation, or custom protocol switches on the same connection.

What to do next

Verify Sec-WebSocket-* headers and TLS termination. If upgrades fail intermittently, inspect reverse proxies and load balancers for idle timeouts or missing upgrade passthrough.

A provisional response meaning the server is still working on a long-running request (WebDAV-related usage; rare in general APIs).

Typical causes

Legacy WebDAV or custom servers that stream interim progress before a final 2xx/4xx/5xx.

What to do next

Wait for the final response. If your client hangs, confirm server-side job completion paths and proxy read timeouts.

The server may send resource hints (for example Link preload/prefetch) before the full response is ready.

Typical causes

Optimizing critical path loading with HTTP/2 or HTTP/3 early hints from CDNs and modern frameworks.

What to do next

Validate that hinted URLs are correct and cacheable. Combine with strong cache headers on static assets.

The request succeeded. For GET, the representation is returned; for HEAD, headers only—this is the baseline success code for most pages and APIs.

Typical causes

Healthy origin, correct route, authorized access, and matching HTTP method—normal production behavior.

What to do next

Pair 200 with correct caching (Cache-Control), canonical tags for HTML, and consistent Content-Type for APIs. Use our HTTP header checker when headers matter as much as the body.

A new resource was created as a result of the request—common for POST that inserts rows or objects.

Typical causes

REST POST to /users, /orders, or similar collection endpoints that persist data and return a Location.

What to do next

Return a Location header or stable id in the body; ensure idempotency keys for safe retries on flaky networks.

The request was accepted for processing but processing is not finished—typical for async jobs and queues.

Typical causes

Background workers, batch imports, or webhook receivers that enqueue work instead of completing inline.

What to do next

Expose job ids and polling or callback URLs; document SLA and failure modes so clients do not treat 202 as guaranteed completion.

Success with no response body—often used for DELETE or PUT where the client already knows the outcome.

Typical causes

Idempotent deletes, toggle endpoints, or cache invalidations that do not need a payload back.

What to do next

Confirm clients handle empty bodies. Avoid returning 204 where clients expect JSON error details on failure.

Success response assembled from a secondary source—often seen with transforming proxies or cached third-party content.

Typical causes

Intermediaries returning a copy while noting it may not be the authoritative origin response.

What to do next

Treat payload as potentially stale; bypass or disable transformation when strict consistency matters.

Tells the client to reset the document view—rare on the modern web; more common in legacy form UIs.

Typical causes

Custom servers clearing client-side form state after successful submission.

What to do next

If you see 205 unexpectedly, verify framework middleware and proxy rules are not mislabeling responses.

The server fulfilled a range request—used for video/audio streaming and resumable downloads.

Typical causes

Range: bytes=... on large files; CDN edge slicing; download managers requesting chunks.

What to do next

Ensure Accept-Ranges and correct Content-Range. Misconfigured ranges cause players to stutter or corrupt data.

WebDAV-style mixed outcome: sub-requests succeeded or failed independently inside one response body.

Typical causes

Batch PROPFIND or COPY operations reporting per-resource status in XML/JSON payloads.

What to do next

Parse the multistatus body; do not assume overall success from the top-level 207 alone.

More than one representation exists—client should choose (for example language or format variants).

Typical causes

Content negotiation endpoints, duplicate filenames, or legacy mirrors exposing multiple URLs.

What to do next

Prefer canonical URLs and explicit redirects (301/308) for SEO; avoid ambiguous 300 chains.

The resource has a new permanent URI; future requests should use the target in the Location header.

Typical causes

Domain migrations, slug changes, HTTP→HTTPS at the edge, or consolidating duplicate URLs for SEO.

What to do next

Update internal links and sitemaps to the final URL; monitor Search Console and redirect chains. Compare with our redirect checker and response code checker for live URLs.

Temporary redirect—HTTP/1.0 semantics historically blurred with 303/307; many stacks treat it as temporary.

Typical causes

Legacy apps, framework defaults, or short campaigns where the original URL may return later.

What to do next

Prefer 307/308 when you need method-preserving or permanent semantics explicitly. Fix long 302 chains that slow crawlers.

Redirect the client to a different URI with GET—common after POST to avoid duplicate form submissions.

Typical causes

Post/Redirect/Get pattern for web forms and checkout flows.

What to do next

Ensure the follow-up GET URL is cache-safe and does not re-trigger destructive actions.

Conditional GET: the cached copy is still valid; no body is sent when If-None-Match/If-Modified-Since match.

Typical causes

ETag validators, last-modified checks, and CDN revalidation saving bandwidth.

What to do next

Verify ETag generation changes when content changes; broken validators cause stale or excessive 200s.

Deprecated in HTTP/1.1—historically meant “repeat via the proxy named in Location.” Modern stacks should not emit it.

Typical causes

Legacy corporate proxies or ancient middleware still in rare environments.

What to do next

Migrate clients to explicit HTTPS CONNECT or transparent proxies; treat unexpected 305 as a configuration smell.

Temporary redirect that preserves the original HTTP method and body—clearer than historic 302 behavior.

Typical causes

Maintenance pages, canary routing, or short-lived alternate hosts.

What to do next

Confirm clients resend POST bodies as required. Move to 301/308 when the move is permanent.

Permanent redirect with method and body preserved—strong signal for SEO and API clients alike.

Typical causes

HTTPS everywhere, canonical host enforcement, and API base URL migrations.

What to do next

Update bookmarks, SDKs, and SDK default base URLs; audit for redirect loops at the load balancer.

The server cannot process the request due to malformed syntax, invalid JSON, or inconsistent parameters.

Typical causes

Broken JSON bodies, wrong query encoding, invalid UTF-8, or missing required fields in APIs.

What to do next

Validate payloads with our JSON formatter; log request ids. Return structured errors so clients can fix input.

Authentication is required or failed—often paired with WWW-Authenticate for bearer or basic flows.

Typical causes

Missing Authorization header, expired JWT, wrong API key, or clock skew on token validation.

What to do next

Refresh tokens, sync system time, and confirm audience/issuer claims. Distinguish from 403 after auth succeeds.

Reserved for future digital payment schemes; not standardized for general billing flows today.

Typical causes

Rare experimental APIs; some platforms repurpose it informally for paid tiers—non-interoperable.

What to do next

Prefer 402 only if your contract documents it; otherwise use 403 and explicit subscription errors in the body.

The server understood the request but refuses it—authorization or policy blocks even if credentials were supplied.

Typical causes

RBAC denials, IP allowlists, WAF rules, missing scopes, or directory listing blocked.

What to do next

Check IAM, CDN firewall events, and application logs. Align automated probes with what legitimate users experience.

No resource matches the URI—classic broken link, typo, or removed content.

Typical causes

Stale bookmarks, bad deploys, renamed routes, or CMS slug changes without redirects.

What to do next

Restore content, add 301/308 to the successor page, or return 410 when intentionally retired. Fix inbound links and sitemap entries.

The resource exists but does not support the HTTP verb used—Allow header lists valid methods.

Typical causes

DELETE on a read-only route, POST to a static file path, or misconfigured API gateway verbs.

What to do next

Correct the client method or expand route handlers. Document allowed verbs in OpenAPI specs.

The server cannot produce a representation matching the Accept headers (language, encoding, or format).

Typical causes

Accept: application/xml only while the API returns JSON, or overly strict content negotiation.

What to do next

Widen Accept headers on the client or implement proper content-type negotiation on the server.

The client must authenticate with a proxy before the request can reach the origin.

Typical causes

Corporate HTTP proxies, captive portals, or misconfigured forward proxies in CI.

What to do next

Supply proxy credentials or route traffic through an approved network path; never embed secrets in logs.

The server gave up waiting for the full request—often idle connections or slow uploads.

Typical causes

Huge payloads without chunked transfer, client stalls, or aggressive server idle timeouts.

What to do next

Retry with backoff, tune keep-alive, or increase upload limits/timeouts at reverse proxies.

The request conflicts with the current state—version collisions, duplicate unique keys, or optimistic locking failures.

Typical causes

Concurrent edits, duplicate email signups, or workflow states that reject the transition.

What to do next

Return details on the conflict; consider ETags or sequence numbers for concurrency control.

The resource existed but was permanently removed and will not return—stronger than 404 for intentional retirement.

Typical causes

Delisted products, deprecated API versions, or legal takedowns with no replacement.

What to do next

Remove links from navigation and sitemaps; communicate migrations to users and search engines clearly.

A precondition header (such as If-Match) evaluated to false—common in versioning and WebDAV.

Typical causes

Stale ETag on PATCH, or conditional writes when state changed underneath the client.

What to do next

Refetch the latest representation, merge changes, and retry with updated validators.

The request body exceeds limits configured on the server, gateway, or WAF.

Typical causes

Oversized uploads, uncompressed images, or default nginx/client_max_body_size ceilings.

What to do next

Chunk uploads, raise limits deliberately, or use direct-to-object-storage signed URLs.

The request-target exceeds server or proxy limits—often from huge query strings or misplaced POST data.

Typical causes

GET with thousands of filter params, or accidental serialization of blobs into the URL.

What to do next

Move data to POST bodies, shorten keys, or use server-side session storage for complex filters.

The Content-Type or encoding is not supported for this endpoint.

Typical causes

Sending text/plain where application/json is required, or missing charset boundaries.

What to do next

Set Content-Type explicitly; verify multipart boundaries for file uploads.

The requested byte range is invalid or outside the file size—often after file length changes.

Typical causes

Outdated range metadata in download managers or streaming clients after content updates.

What to do next

Issue a new range request after HEAD or 200 to learn current Content-Length.

The Expect header could not be satisfied by the server—often with Expect: 100-continue edge cases.

Typical causes

Proxies stripping or mishandling Expect, or servers rejecting large body preconditions.

What to do next

Remove Expect when possible or align proxy buffering with upload requirements.

Easter egg from RFC 2324 (Hyper Text Coffee Pot Control Protocol); sometimes used humorously in tests.

Typical causes

Framework demos, integration tests, or misconfigured routes returning jokes.

What to do next

Do not rely on 418 in production APIs; use meaningful 4xx codes for real errors.

The request was directed at a server that cannot produce a response for this scheme and authority.

Typical causes

HTTP/2 connection reuse across hosts with TLS SNI mismatches or misrouted multiplexed streams.

What to do next

Fix connection coalescing settings and ensure clients connect to the correct host for each authority.

The resource is locked—WebDAV semantics preventing concurrent edits until unlocked.

Typical causes

Checked-out documents, admin locks, or migration holds on resources.

What to do next

Use UNLOCK where appropriate or surface lock ownership to users.

A WebDAV method failed because a prior dependent action failed.

Typical causes

Chained operations such as MOVE depending on COPY success.

What to do next

Inspect earlier error bodies in the multistatus response to fix root causes.

The server refuses the request until the client upgrades to a different protocol—often TLS or WebSocket.

Typical causes

HSTS-like upgrades, mandatory HTTP/2, or insecure plain HTTP blocked on sensitive routes.

What to do next

Switch client libraries to HTTPS or HTTP/2 as required; update Upgrade headers.

The origin requires conditional requests to prevent lost updates—often paired with replay protection.

Typical causes

High-contention resources where If-Match headers are mandatory for write safety.

What to do next

Send validators from GET responses before mutating writes.

Headers exceed server limits—often cookie bloat or oversized bearer tokens.

Typical causes

Thousands of cookies, duplicated headers, or debug headers accidentally shipped to prod.

What to do next

Trim cookies, split state server-side, and raise limits only after profiling abuse risk.

Well-formed JSON/XML but semantically invalid—validation errors on business rules or schema.

Typical causes

Schema passes syntax but fails rules: out-of-range numbers, unknown enums, or cross-field constraints.

What to do next

Return field-level errors; pair with OpenAPI examples so clients correct payloads quickly.

Rate limiting—protecting APIs from abuse or fairness across tenants.

Typical causes

Bursty retries without backoff, scraping, or shared egress IPs hitting shared quotas.

What to do next

Honor Retry-After, exponential backoff, and jitter. Request higher quotas with justified traffic patterns.

Access is denied because of a legal demand—often geographic blocking or court-ordered removal.

Typical causes

GDPR-related blocking, copyright takedowns, or government censorship lists enforced at CDN edge.

What to do next

Consult legal and compliance teams; do not bypass geo rules without counsel. Document alternate lawful access paths.

An unexpected error occurred on the server—generic catch-all for uncaught exceptions.

Typical causes

Null pointers, misconfigured env vars, deadlocks, or dependency outages surfaced as 500.

What to do next

Check application and infrastructure logs, error tracking (Sentry, etc.), and recent deploys. Add health checks upstream.

The server does not support the functionality required to fulfill the request.

Typical causes

Exotic HTTP methods, unimplemented protocol features, or placeholder handlers.

What to do next

Implement the feature or block the method at the gateway with a clear 405/404 instead.

A proxy or gateway received an invalid response from an upstream server.

Typical causes

Origin crash, TLS handshake failure to upstream, or DNS flapping behind the load balancer.

What to do next

Trace upstream health, connection pools, and keep-alive settings between gateway and app servers.

The server is temporarily unable to handle traffic—maintenance, overload, or dependency outage.

Typical causes

Deploy freezes, database failover, or intentional circuit breaking during incidents.

What to do next

Return Retry-After when possible; scale capacity; use graceful degradation pages for humans.

A proxy did not receive a timely response from the upstream—distinct from slow client uploads (408).

Typical causes

Long database queries, cold starts, or upstream saturation hitting proxy read timeouts.

What to do next

Optimize hot paths, add caching, increase timeouts only where safe, and parallelize independent calls.

The server does not support—or refuses to support—the major HTTP version used in the request.

Typical causes

HTTP/3-only edges rejecting HTTP/1.1, or legacy stacks that cannot parse newer framing.

What to do next

Align client and server on supported protocol versions; update libraries and TLS stacks.

WebDAV: the method could not complete because the server is out of storage for the representation.

Typical causes

Disk full on NAS, quota exceeded on object storage, or database tablespace limits.

What to do next

Expand capacity, purge old data, and alert before exhaustion triggers user-facing failures.

The client must authenticate to gain network access—common with captive portals and hotspot logins.

Typical causes

Wi‑Fi splash pages intercepting HTTP before Internet access is granted.

What to do next

Complete portal authentication or use VPN; automated clients should detect captive portals explicitly.