KomuraSoft LLC
Chapter 3

HTTP status codes — Reading the result in three digits

Classify status codes into five classes by the hundreds digit before reading the last two digits. Distinguish success 200/201/204, redirects 301/302/308, client-side 401/403/404, and server-side 500/502/503.

Never freeze again at "what's the difference between 404 and 403?"

A screenshot of an error page arrives with "can you fix this?". Whether it is 404 or 403 or 503 completely changes the cause and the fix, yet by facial expression alone the numbers all look the same — status codes are a field where trying to memorize dozens of them ends in defeat.

No memorization is needed. The right way to live with status codes is to classify by the hundreds digit into five classes, then read only the few last-two-digit codes you actually meet. For the second item of the three-part set, "how did it go", the hundreds digit answers first.

1xx — Still processing
Interim progress notes. Rarely seen in day-to-day development
2xx — Succeeded
The favor was accepted and processed
3xx — Please go elsewhere
The answer lives at another URL. The destination is written in the Location header
4xx — There is a problem with how you asked
A client-side problem. Nonexistent path, missing authentication, insufficient permission, and so on
5xx — We fumbled the processing
A server-side failure. It happens even when the request is correct

Your first investigative move is decided by this classification. On 4xx, first suspect the request side (URL, authentication, what you sent); on 5xx, suspect the server side (application logs, downstream services). Just not getting this direction backwards finishes half of any root-cause investigation.

Chart classifying HTTP status codes by the hundreds digit into the five classes 1xx through 5xx, with the meaning and representative codes of each

Classify into five by the hundreds digit, then within each class read apart only 'the few you often meet' — this is the map of status codes. The representative codes at the arrow tips are everything this chapter covers.

2xx — even success has distinctions

Success is not just 200. Here are the three you meet often.

200 OK
The general-purpose form of success. Returns the requested thing (HTML, JSON, and so on) in the body
201 Created
Succeeded, and a new resource was created. The staple for successful creation via POST, often attaching the created thing's URL in a Location header
204 No Content
Succeeded, but there is no body to return. A perfect fit for reporting successful deletions and updates

When you become the one building an API, whether you can use these three properly changes how readable your replies are. Conveying not just "it succeeded" but "it succeeded, and here is what happened" in three digits — that is mastery of 2xx.

Practice 3-1 — Classify by the hundreds digit

First classify by the hundreds digit, then read apart the last two digits within the success class.

Q1. Which is the correct reading of the hundreds digit of a status code?

Q2. When POST /orders succeeds in creating a new order, which status code conveys the meaning most precisely?

Q3. DELETE /orders/7 succeeded, and the server has no particular body to return. Which status code is natural here?

3xx — the flavors of "please go elsewhere"

A 3xx response is a notice saying "the answer is not here — please go to the URL written in the Location header". On receiving it, the browser automatically re-requests the destination. The three you meet often differ along two axes.

301 Moved Permanently — permanent
"It is over there from now on." Browsers may cache the redirect, and search engines re-register the new URL as canonical (SEO evaluation carries over). For moves such as http to https
302 Found — temporary
"It is over there just for now." Neither cached nor re-registered. For temporary detours such as during maintenance
308 Permanent Redirect — permanent + method-preserving
Permanent like 301, but guarantees a POST is forwarded as a POST. (Temporary + method-preserving is 307)

The second axis, "method preservation", is a product of history. For compatibility with old implementations, 301/302 tolerate a POST being rewritten into a GET when redirecting. For a moved HTML page there is little real harm, but if an API's POST turns into a GET, the favor itself changes. Hence 307/308, which state explicitly that they 'do not change the method', were added later. Permanent or temporary × method-preserving or not — those two axes organize all four codes.

4xx and 5xx — naming whose problem it is

Within 4xx, telling apart three lookalike siblings matters most.

401 Unauthorized
"Not yet authenticated. Please identify yourself." Despite its name it means unauthenticated. Logging in or attaching credentials may get you through
403 Forbidden
"I know who you are, but you lack permission." Even correctly logged in, that operation is not allowed
404 Not Found
"No resource found at that path." A mistyped URL, already deleted, not yet published, and so on

Within 5xx, telling these three apart changes your first move in incident response.

500 Internal Server Error
An unexpected error inside the application. The first place to look is the application logs
502 Bad Gateway
The relay in front (a reverse proxy, for example) could not get a healthy response from the server behind it. Suspect what sits behind the relay
503 Service Unavailable
Temporarily unable to respond due to overload or maintenance. A statement of "not right now", not "broken"

Reading 502 well is powerful because most modern web servers are a two-stage setup: "relay (nginx and the like) + application behind it". A 502 even tells you that the relay is alive and the thing behind it is down. One number narrows the place to investigate by a whole stage.

Practice 3-2 — Telling apart redirects and errors

The distinctions within 3xx, and within 4xx and 5xx. Your first investigative move in practice changes.

Q4. You permanently moved a site from http://example.com to https://example.com. Which is the correct reason to choose 301?

Q5. Which is the correct reason 308 Permanent Redirect exists separately from 301?

Q6. A logged-in regular user accessed the admin panel https://example.com/admin and was denied. Which code most precisely expresses 'the page is not missing; authentication succeeded but permissions are insufficient'?

What to take from this chapter

  • Status codes come in five classes by the hundreds digit — interim / success / redirect / client-side problem / server-side failure. Your first investigative move is decided here
  • The success distinctions: 200 general purpose / 201 created / 204 succeeded with no body
  • Redirects run on two axes: permanent or temporary × method-preserving or not — 301, 302, 308 (and 307). Permanent ones get cached and carry SEO evaluation over
  • Tell apart 401 unauthenticated / 403 insufficient permission / 404 nonexistent, and 500 inside the app / 502 the thing behind is down / 503 temporarily unable

Now that you can read the results, the next chapter takes on the third item of the three-part set — the "conditions and notes" attached to the correspondence: headers.