1.3. HTTP Server Response Codes

We have discussed the types of requests that can be made to a server. Now let's see how the server can respond to them.

All responses are divided into corresponding categories:

  • 200 - 299: Success – Response to a successful action, meaning the server has found the requested resource or successfully completed the operation.
  • 300 - 399: Redirection – The server indicates to the client that the requested resource has been temporarily or permanently moved to a different address and recommends the client to navigate to that new address.
  • 400 - 499: Client Error – Error on the client side. This could mean that the client is requesting a non-existent resource or doesn't have permission to access the resource.
  • 500 - 599: Server Error – Error on the server side. This could mean that the server is overloaded and unable to handle the request, or the client's request to the server has caused a malfunction.


Frequently encountered server responses

200 OK – When a resource is found, the server will provide the requested information to the client.

301 Moved Permanently – When a client requests certain data using a specific address, it is possible that these data are now available at a different address on the server. In this case, the server informs the client and provides the correct address. The client then navigates to the specified address and receives a 200 OK response. This is how the redirection mechanism works. The new address is indicated in the Location header:

HTTP redirection flow with code 302

HTTP redirection flow with code 302

302 Found – This response is similar to the 301 response, but if in the first case the resource was permanently moved to a different address, in the case of 302, the resource is only temporarily moved to a new address. The redirection mechanisms 301 and 302 are used in the following cases:

  • When a resource does not exist on the server, some developers simply redirect the user to the main and specially prepared page.
  • If the requested resource on the website is only available to authorized users, the server redirects users to the authorization page.
  • If there are duplicate pages on the website, developers usually instruct the server on which pages to perform redirection from.

400 Bad Request – This occurs when the server cannot understand the client's request, for example, when an incorrect parameter is specified, or the syntax of the request does not match the HTTP specification.

401 – Unauthorized – If user authentication is present on the website and a user tries to access a protected resource, the server uses this type of response. The entire authentication process is outlined below in the diagram:

HTTP 401 - Authentication flow

403 – Forbidden – It happens that there are resources on the server that are only available to a narrow group of users, such as administrators. In such cases, the server sends a 403 code. The difference between 401 and 403 is that in the first case, access is granted to anyone who passes authentication. In the second case, it immediately denies access even to authorized users (but not all).

The question arises: how does the server determine whom to grant access and whom to deny?

The decision is based on certain headers, such as Cookies, and sender's IP address, SSL certificate, and so on.

404 Not Found – This one is straightforward. If the requested page is not on the server, it responds with a 404 code by default. However, some developers use 301/302 codes instead.

500 Internal Server Error – Internal server error. The reasons can vary; for example, the server might be overloaded, the client's request could be malicious and cause a server malfunction, and many other possibilities.