HTTP Status Codes & Response Headers: Complete Reference
Understanding HTTP status codes and headers is fundamental for web developers, SEO specialists, and system administrators. This reference guide covers the most important status codes and headers used in modern web communication.
1. HTTP Status Codes Quick Reference
Status codes are grouped into five classes based on the first digit.
1xx: Informational
- 101 Switching Protocols: The server agrees to switch protocols (e.g., upgrading to WebSockets).
2xx: Success
- 200 OK: The request succeeded.
- 201 Created: The request succeeded and a new resource was created.
- 204 No Content: The request succeeded, but there is no content to send back.
3xx: Redirection
- 301 Moved Permanently: The resource has been moved to a new URL permanently.
- 302 Found: The resource is temporarily at a different URL.
- 304 Not Modified: Used for caching; indicates the resource hasn't changed.
4xx: Client Error
- 400 Bad Request: The server cannot process the request due to client error (e.g., malformed syntax).
- 401 Unauthorized: Authentication is required.
- 403 Forbidden: The server understands the request but refuses to authorize it.
- 404 Not Found: The requested resource could not be found.
- 429 Too Many Requests: The user has sent too many requests in a given amount of time (Rate limiting).
5xx: Server Error
- 500 Internal Server Error: A generic error message when the server encounters an unexpected condition.
- 502 Bad Gateway: The server, acting as a gateway, received an invalid response from the upstream server.
- 503 Service Unavailable: The server is currently unable to handle the request (e.g., maintenance).
- 504 Gateway Timeout: The server did not receive a timely response from the upstream server.
2. Essential HTTP Response Headers
Headers provide metadata about the response or the server.
Caching: Cache-Control
Controls how the browser and intermediate caches (like CDNs) store the resource.
public, max-age=31536000, immutable: Ideal for versioned static assets (JS, CSS).no-store: Do not cache anything (useful for sensitive data).no-cache: Must revalidate with the server before using the cached version.
Security: Strict-Transport-Security (HSTS)
Tells the browser to only access the site via HTTPS.
- Example:
max-age=63072000; includeSubDomains; preload
Session Management: Set-Cookie
Sends a cookie from the server to the user agent.
- Example:
id=abc; Max-Age=3600; Secure; HttpOnly; SameSite=Lax- HttpOnly: Prevents JavaScript from accessing the cookie (mitigates XSS).
- Secure: Only sends the cookie over HTTPS.
- SameSite: Controls cross-site cookie behavior (Lax, Strict, or None).
Content Negotiation: Content-Type & Accept-Encoding
- Content-Type: Indicates the media type of the resource (e.g.,
text/html,application/json). - Accept-Encoding: Communicated by the client to indicate supported compression (e.g.,
gzip,br).
3. Comparison Table: 301 vs. 302 Redirection
| Feature | 301 Moved Permanently | 302 Found (Temporary) |
|---|---|---|
| SEO Impact | Passes Link Equity (PageRank) | Does not pass Link Equity |
| Browser Caching | Cached by default | Not cached by default |
| Use Case | Site migration, URL change | Maintenance, temporary promotions |
FAQ: Common HTTP Issues
Q: Why am I getting a 403 Forbidden error even when I'm logged in?
A: This often happens if the user lacks the specific permissions/roles for that resource, or if there's a CSRF token mismatch.
Q: What is the difference between 401 and 403?
A: 401 Unauthorized means "I don't know who you are" (please log in). 403 Forbidden means "I know who you are, but you're not allowed here."
Q: How do I fix a 502 Bad Gateway?
A: This is usually a server-side issue. Check if the backend application (e.g., Node.js, Python) is running or if the reverse proxy (Nginx/Apache) is correctly configured to point to it.
Related Tools
- HTTP Header Parser: Inspect and analyze headers from any URL.
- Cache-Control Builder: Generate optimized cache policies.
- Status Code Checker: Verify the response code for your API or website.