HTTP status codes cheat sheet: A quick reference

HTTP Status Codes Cheat Sheet: A Quick Reference

When you’re working with web applications, whether as a website administrator or a penetration tester, chances are you’ve had to do a web search on a three-digit code like “how to fix 404 error” and wade through the same volume of search results repeatedly. You’ve seen the three-digit code before, but it always slips your mind.

These three-digit codes are called HTTP status codes. They’re crucial to understanding server behavior, conducting appropriate security tests, or refraining from overdoing them. Servers flooded with requests usually return 4XX or 5XX errors, which you will find below, and having too many redirects can also point to serious cyber space security problems.

From now on, you don’t have to do those searches anymore because we have prepared this HTTP status codes cheat sheet for you. You can download this cheat sheet here.

When you’re ready, let’s dive in.

What Is an HTTP Status Code?

HTTP is short for “Hypertext Transfer Protocol”. An HTTP status code consists of three digits. It tells you the result of a client request to a server and the semantics of the server response, including whether the request was successful and its contents if such a payload exists. All valid status codes are between 100 and 599 inclusive.

HTTP status codes come in five classes, each of which has the same theme. In the graphic below, “you” refers to the client, and “I” to the server:

Human-friendly guide to HTTP Status Codes

The Top 5 Most Commonly Used Status Codes

The RFC 9110 specification consists of 63 standard status codes, beyond which are custom HTTP status codes defined by server administrators. Here are the top five status codes you need to know:

  1. 200 OK: Ideally, you want this because it means you’ve found your desired website or the data on a submitted web form has reached its destination intact.
  2. 301 Moved Permanently / 308 Permanent Redirect: Websites often shorten their addresses for easy visitor access, such as omitting “www.” A shortened link redirects users to a web resource at its original, longer Uniform Resource Identifier (URI).
  3. 404 Not Found: The server is up, but the resource is missing, thanks to deletion or a modified URI, as is often the case for website updates.
  4. 403 Forbidden: The server denies the client access to a resource. We have a penchant for challenging this status code: Opening the frame source of some embedded videos in a new tab gives me this error, as the videos have a strict same-origin policy. Yet sometimes, we could download those videos from alternate source URLs found through the browser’s Inspector.
  5. 501 Internal Server Error / 503 Service Unavailable: The server is not functioning and can’t respond to any requests you make to it. Visitors of the website are at the mercy of administrators.

Informational Requests: 1XX

When a server returns a 1XX code, it means the server has received and understood your request, and your browser only needs to wait for the server to finish processing your data.

CodeMeaningDescription
100ContinueThe server has received the request headers, and the client should proceed to send the request body.
101Switching ProtocolsThe requester has asked the server to change protocols using a protocol upgrade mechanism, and the server has agreed.
102ProcessingThe server has accepted the entire request but is still processing it.
103Early HintsUse it with the Link header to preload resources while the server prepares a response.

Success Requests: 2XX

2XX requests mean your transmitted data has reached the server or the resource you want from the server has arrived safely at your machine.

CodeMeaningDescription
200OKThe request succeeded.
201CreatedThe server acknowledged a newly created resource.
202AcceptedThe server has received the client’s request but is still processing it.
203Non-Authoritative InformationThe server’s response to the client differs from the initial response that the server sent.
204No ContentThe server has processed the request but isn’t returning any content.
205Reset ContentThe client should refresh the document sample.
206Partial ContentThe server is sending only part of the resource.
207Multi-StatusThe server response may contain multiple response codes.
208Already ReportedThe server response highlights duplicate internal contents with this status code.
226IM UsedIM stands for “instance manipulation” in HTTP Delta Coding. The server has fulfilled a GET request, and the server response involves IMs.

Redirection Requests: 3XX

When you encounter a 3XX status code, the server will redirect you to a web location different from your initial URI.

CodeMeaningDescription
300Multiple ChoicesThe client must choose among several possible responses for the server request.
301Moved PermanentlyThe server tells the client the requested resource is now at another URI permanently.
302FoundThe server tells the client that the requested resource is temporarily at another URI.
303See OtherThe server doesn’t redirect the client to the requested resource but to another page.
304Not ModifiedThe server response is the same as in the past, so the client can continue to use the client’s cached version of the server response.
305Use Proxy (deprecated)The client could only access the requested resource through a proxy given in the response. Deprecation was because in-band configuration of a proxy is insecure.
306(unused/reserved)A previous version of the HTTP/1.1 specification used this response code.
307Temporary RedirectThe server tells the client that the resource they are looking for is temporarily at another URI.
Unlike 302, the client must access the new URI using the same HTTP method as the original URI.
308Permanent RedirectThe server tells the client that the resource they are looking for is now at another URI permanently.
Unlike 301, the client must access the new URI using the same HTTP method as the original URI.

Client Errors: 4XX

These are client errors, such as a missing page, incorrect data format, unauthorized access, or a mistake in the request.

CodeMeaningDescription
400Bad RequestThe client has sent a request with incomplete, ill-constructed, or invalid data.
401UnauthorizedThe client lacks the authorization needed to access the requested resource.
402Payment RequiredA rare status code reserved for digital payment systems.
403ForbiddenThe server prohibits the client from accessing the resource.
404Not FoundThis code denotes a nonexistent resource on a working server.
405Method Not AllowedThe server has received and recognized the request but has rejected the specific request method.
406Not AcceptableThe website or web application doesn’t support the client’s request with a particular protocol.
407Proxy Authentication RequiredSimilar to 401 Unauthorized, but the server requires authorization via a proxy.
408Request TimeoutThe request the client sent to the server has expired.
409ConflictThe request transmitted conflicts with the server’s internal operations.
410GoneThe resource sought by the client is permanently unavailable.
411Length RequiredThe server requires the Content-Length header field, but it was missing in the request, so the server rejected it.
412Precondition FailedThe server does not meet the conditions indicated by the client.
413Payload Too LargeRequest entity exceeds server limits.
414URI Too LongThe URI requested by the client is longer than the server is willing to interpret.
415Unsupported Media TypeThe server doesn’t support the media format of the requested data and thus rejects the request.
416Requested Range Not SatisfiableThe server response cannot fulfill the range specified by the Range header field in the request.
417Expectation FailedThe server cannot meet the expectation indicated by the Expect request header field.
418I’m a teapotThe server sends this response to undesirable requests, such as automated queries.
421Misdirected RequestThe request went to a server unable to produce a response.
422Unprocessable EntitySemantic errors in the request prevented the server from sending the expected response.
423LockedThe requested resource is locked.
424Failed DependencyThe failure of a previous request doomed this request to failure.
425Too EarlyThe server aborted a request that might be part of an (intentional or unintentional) replay attack.
426Upgrade RequiredThe server would only perform the request after the client upgrades to one or more different protocols specified in its Upgrade header in a 426 response.
428Precondition RequiredThe origin server requires the request to satisfy certain conditions.
429Too Many RequestsThe client has sent too many requests in a given amount of time.
431Request Header Fields Too LargeThe server is unwilling to process the request because of oversized header fields.
451Unavailable for Legal ReasonsThe server cannot legally provide the requested resource, such as a government-censored page.

Server Errors: 5XX

These are server errors. The client has made a valid request, but the server cannot provide the requested resource.

CodeMeaningDescription
500Internal Server ErrorThe server has run into problems while processing the client’s request.
501Not ImplementedThe server can’t resolve the client’s HTTP request method.
502Bad GatewayThe server, acting as a gateway or proxy, received an invalid message from an inbound server.
503Service UnavailableThe server appears non-functional and can’t process the client’s request.
504Gateway TimeoutThe server, acting as a gateway, fails to produce a response in time.
505HTTP Version Not SupportedThe server doesn’t support the HTTP version used in the request.
506Variant Also NegotiatesThe server has an internal configuration error that leads to content conflicts.
507Insufficient StorageThe server doesn’t have enough storage to perform the HTTP method of the request.
508Loop DetectedThe server detected an infinite loop while processing the request.
510Not ExtendedThe server requires further extensions to the request before fulfilling it.
511Network Authentication RequiredThe client needs to get authenticated on the network to access the resource.

Codes for Web Application Security Testing

Here are the most relevant HTTP status codes for security testing of web apps:

CodeMeaning
200OK
301Moved Permanently
302Found
400Bad Request
401Unauthorized
403Forbidden
404Not Found
405Method Not Allowed
500Internal Server Error
502Bad Gateway
503Service Unavailable
504Gateway Timeout

Conclusion

This HTTP status codes cheat sheet covers all HTTP codes. We hope this HTTP error codes cheat sheet helps you troubleshoot web applications and improve their security. Once familiar with these HTTP status codes, explore the Web Hacking courses included in our VIP Membership to consolidate your learning. Have fun.

Frequently Asked Questions

>