By Rahul — Google Frontend Engineer
Status Code Categories
- 1xx: Informational — request received, processing
- 2xx: Success — request received, understood, accepted
- 3xx: Redirection — further action needed
- 4xx: Client Error — bad request from the client
- 5xx: Server Error — server failed to fulfill a valid request
Must-Know Status Codes
200 OK
The request succeeded. Response body contains the result. The most common code.
201 Created
A new resource was created. Used after successful POST requests. Response should include the Location header pointing to the new resource.
204 No Content
Success, but no response body. Used for DELETE operations or updates that do not need to return data.
301 Moved Permanently
Resource has permanently moved. Browsers cache this redirect. Search engines transfer SEO value. Be careful: once a browser caches a 301, it is very hard to undo.
302 Found (Temporary Redirect)
Resource temporarily at a different URL. Not cached by default. Use for maintenance pages or A/B testing.
304 Not Modified
Used with conditional requests (If-None-Match, If-Modified-Since). The resource has not changed. Has no response body — the browser uses its cached copy.
400 Bad Request
Server cannot process the request due to client error (malformed syntax, invalid parameters). Always include a clear error message in the response body.
401 Unauthorized
Authentication required. The client is not authenticated. Should include a WWW-Authenticate header. The name is misleading — it means "unauthenticated", not "unauthorized".
403 Forbidden
Client is authenticated but does not have permission. Unlike 401, re-authenticating will not help. This is the actual "unauthorized" status.
404 Not Found
Resource does not exist. Can also be used to hide the existence of a resource from unauthorized users (instead of 403).
429 Too Many Requests
Rate limiting. Include a Retry-After header telling the client when to try again.
500 Internal Server Error
Generic server error. Never expose stack traces or internal details in production — log them server-side.
502 Bad Gateway
The server acting as a gateway received an invalid response from the upstream server. Common when your application server crashes but the load balancer is still running.
503 Service Unavailable
Server is temporarily unable to handle requests (overloaded or under maintenance). Include Retry-After header.
Production Tips
- Use 201 for POST creation, not 200
- Use 204 for successful DELETE, not 200 with empty body
- Return proper error bodies with 4xx codes — do not just return the status
- Log 5xx errors with full context (request ID, user ID, stack trace)
- Set up alerts for spikes in 5xx errors
- Use 429 with rate limiting to protect your API
Summary
Status codes communicate the result of a request. Use the right code — 201 for creation, 204 for no content, 401 for unauthenticated, 403 for unauthorized, 429 for rate limiting. Proper status codes make APIs predictable and debuggable.