Searchable reference. No ads, no login.

HTTP Status Code Reference

Every HTTP status code working developers and IT pros actually encounter — with the meaning, the common cause, and the quick action you should take. Covers 1xx through 5xx plus Cloudflare-specific 5xx codes. Built by Datastrive, a Chicago managed IT and cybersecurity provider.

Code Name Frequency & Notes

The mental model behind HTTP status codes

Beyond memorizing what each code means, a few patterns matter every time you debug a failing API call or read a server log. Internalize these and you’ll resolve most issues from the status code alone.

  1. The first digit tells you who’s at fault 1xx = informational (handshakes, no action needed). 2xx = success. 3xx = redirect (the resource moved). 4xx = your client sent something the server can’t process. 5xx = the server itself failed. This taxonomy is the most useful piece of the spec — when triaging, the first digit immediately narrows where to look.
  2. 401 means unauthenticated; 403 means forbidden The most-confused pair in HTTP. 401 Unauthorized means credentials are missing or invalid — you haven’t proven who you are. 403 Forbidden means you’ve authenticated successfully but you don’t have permission for this specific resource. Returning 401 when you should return 403 leaks information about authentication state; returning 403 when 401 is correct prevents clients from triggering re-auth.
  3. 301 vs 302 vs 307 vs 308 are not interchangeable 301 is permanent (cached, search engines transfer ranking). 302 is “found” but with messy POST-to-GET conversion behavior in browsers. 303 explicitly converts to GET. 307 and 308 are the modern method-preserving variants of 302 and 301. For API endpoints especially, use 307/308 — they preserve method and have unambiguous semantics.
  4. 4xx and 5xx mean different things to your monitoring A spike in 4xx means clients are sending bad requests — could be a broken integration, a deprecated endpoint, or a malicious scan. A spike in 5xx means your server is failing — alert immediately. The two should have separate dashboards and alerting thresholds. 4xx ratio above ~5% suggests a bug in a deployed client; 5xx ratio above ~1% suggests an active incident.
  5. 502, 503, and 504 each tell you something different 502 Bad Gateway: upstream server returned garbage or the connection died abruptly. 503 Service Unavailable: the proxy itself is up but no healthy upstream is available (maintenance, all backends failed health checks). 504 Gateway Timeout: upstream took too long to respond. Distinguishing these speeds up incident triage — 502 points at the application, 503 points at the load balancer or backend pool, 504 points at slow upstream operations.
  6. 429 should always include a Retry-After header Rate limit responses without a Retry-After header force clients into exponential backoff guesswork. Including Retry-After (seconds, or HTTP date) makes well-written clients respect your limits gracefully. The header is good API hygiene — and reduces the load amplification that retries cause when limits hit.
  7. 422 vs 400 is a useful distinction for validation errors 400 Bad Request is the catch-all for “request is malformed” — invalid JSON, missing required headers. 422 Unprocessable Content is more specific: “request was syntactically valid but the data doesn’t pass business validation.” Many modern REST APIs use 422 specifically for validation failures (missing required fields, invalid email format, business rule violations). Either is correct; the distinction is genuinely useful.
  8. Cloudflare 5xx codes point at origin issues, not Cloudflare 520-526 from Cloudflare almost always mean your origin server has a problem. 521 means the origin refused the connection (firewall blocking Cloudflare). 522 means TCP timeout. 524 means HTTP timeout (origin took longer than 100s to respond). 525/526 mean SSL handshake or cert issues. Whitelisting Cloudflare’s IPs and tuning your origin timeouts resolves the majority of these. Use our DNS Lookup tool to verify your origin DNS is correct.

Frequently asked questions

What’s the difference between 401 and 403?

401 Unauthorized means “you haven’t authenticated” — credentials missing, invalid, or expired. The response should include a WWW-Authenticate header indicating how to authenticate. Despite the name, 401 is really about authentication state.

403 Forbidden means “you’re authenticated, but you don’t have permission” — the server knows who you are but won’t let you do this. Returning 401 when 403 is correct gives clients false hope of triggering re-auth; returning 403 when 401 is correct prevents legitimate clients from logging in. Get the distinction right.

When should I use 301 vs 302 vs 307 vs 308?

301 Moved Permanently — permanent redirect, browser caches it, search engines transfer ranking. Use for permanent URL structure changes, HTTPS upgrades, domain migrations.

302 Found — ambiguous semantics (HTTP/1.0 implementations converted POST to GET, modern spec preserves method but most browsers don’t). Avoid in new code; pick 303, 307, or 308 instead.

303 See Other — explicitly converts to GET. The standard pattern after a successful POST form submission (Post/Redirect/Get).

307 Temporary Redirect and 308 Permanent Redirect — method-preserving versions of 302 and 301. POST stays POST. The right choice for API redirects where the method matters.

What’s the difference between 502, 503, and 504?

502 Bad Gateway — reverse proxy got an invalid response from the upstream. Origin app crashed mid-request, returned malformed headers, or closed the connection abruptly.

503 Service Unavailable — the proxy is up, but no healthy upstream is available. All backends failed health checks, or the service is in maintenance. Should include Retry-After.

504 Gateway Timeout — the upstream took longer than the proxy timeout to respond. Slow database query, slow external API call, deadlocked thread. Different from 408 (which is the client taking too long to send).

Distinguishing these speeds up triage. 502 points at the application code; 503 points at the load balancer or backend pool; 504 points at slow upstream operations.

Why do I see 200 from cURL but 502 in the browser?

Almost always: a reverse proxy or CDN sits between the browser and the origin, and it’s the one returning 502. Direct cURL hits the origin without going through the proxy. Most common causes: Cloudflare returning 502/520 because of origin connectivity issues, or an nginx/HAProxy proxy returning 502 because the application server isn’t responding.

Quick diagnostic: curl -v https://yoursite.com/path and check the Server response header. If it says cloudflare, the response is from CDN edge. If it says nginx, an nginx proxy is in the path.

Is 418 I’m a teapot real?

Sort of. RFC 2324 was a 1998 April Fools’ joke (“Hyper Text Coffee Pot Control Protocol”) that defined 418. The IETF later tried to retire it, but enough developers fought to keep it as an Easter egg that it survived. It’s not part of the core HTTP spec, but it’s widely-recognized.

Some real systems return 418 deliberately to obscure their actual rejection logic — particularly WAFs that don’t want to confirm a request was filtered.

What does Cloudflare error 521 actually mean?

Cloudflare can resolve your origin’s DNS but the origin server is actively refusing the TCP connection (or no process is listening on the port). Most common causes:

1. Origin firewall blocking Cloudflare IPs. Whitelist https://www.cloudflare.com/ips/ on your origin. This fixes about 70% of 521s.

2. Wrong origin IP configured in Cloudflare DNS. The IP no longer hosts your service.

3. Origin web server crashed or stopped. Apache, nginx, or your application process is down. Restart the service.

What status code should my API return for a validation error?

Either 400 Bad Request or 422 Unprocessable Content. Both are correct; modern API conventions slightly favor 422 for “request was syntactically valid but the data is wrong” and reserve 400 for “the request is malformed at the HTTP level.”

Examples: invalid JSON syntax → 400. Valid JSON but missing a required field → 422. Valid JSON, all fields present, but the email field is “not-an-email” → 422. Either way, include a response body that explains which field is wrong and why.

Are there any non-standard codes I should know about?

The Cloudflare 520-530 codes are the most common non-IETF codes you’ll encounter. Beyond those:

nginx 444 — “No Response.” nginx-specific, used to silently drop a connection without sending any response. Common for blocking malicious requests without giving the client feedback.

nginx 494 — “Request Header Too Large.” nginx-specific variant of 431.

Microsoft IIS 440 — “Login Time-out.” IIS-specific session expiration.

If your status codes are telling you something’s broken —

The reference table above tells you what each code means. Figuring out why your application is returning them, then fixing the underlying issue, is what Datastrive does for businesses across the Chicago area — managed IT, cybersecurity, and structured cabling.

Talk to Datastrive →