What is the difference between 401 and 403?

401 means unauthenticated — the user needs to log in. 403 means authenticated but not authorized — the server knows who they are but the answer is still no. They are not interchangeable.

When should I return 404 instead of 403?

When you want to hide the existence of a resource. Returning 403 reveals the resource exists. Returning 404 prevents enumeration of private resources.

What is the difference between 301 and 308?

301 Moved Permanently allows browsers to change POST to GET on redirect. 308 Permanent Redirect preserves the HTTP method. Use 308 for API redirects where method must be preserved.

HTTP Status Codes Cheatsheet 2026

Updated April 2026

Quick Answer HTTP status codes are 3-digit numbers in the response that indicate the result. 2xx = success (200 OK, 201 Created, 204 No Content). 3xx = redirect (301 permanent, 302 temporary, 304 not modified). 4xx = client error (400 bad request, 401 unauthorized, 403 forbidden, 404 not found, 429 rate limited). 5xx = server error (500, 502, 503, 504).

Every HTTP status code in one place — what it means, when to return it, and what headers go with it.

1xx — Informational

Code	Name	When to use
100	Continue	Server accepts request, client should continue sending body
101	Switching Protocols	Upgrading to WebSocket — send Upgrade header

2xx — Success

Code	Name	When to use
200	OK	Standard success. GET, POST responses with body
201	Created	Resource created (POST). Include Location header pointing to new resource
204	No Content	Success with no body — DELETE, PUT with no response, CORS preflight
206	Partial Content	Range request fulfilled — video streaming, resumable downloads

3xx — Redirection

Code	Name	When to use
301	Moved Permanently	Permanent redirect — HTTP to HTTPS, domain changes. Browsers and search engines update cached URL
302	Found	Temporary redirect — keep original URL. Browsers don't cache
303	See Other	Redirect after POST to prevent double-submit (POST/Redirect/GET pattern)
304	Not Modified	Cache validation — content unchanged, browser uses cached version. Sent in response to If-None-Match or If-Modified-Since
307	Temporary Redirect	Temporary redirect preserving HTTP method (POST stays POST)
308	Permanent Redirect	Like 301 but preserves HTTP method

4xx — Client Errors

Code	Name	When to use
400	Bad Request	Malformed request, invalid parameters, validation failure
401	Unauthorized	Authentication required. Send WWW-Authenticate header. Different from 403 — user is not logged in
403	Forbidden	Authenticated but not authorized. User is logged in but lacks permission
404	Not Found	Resource does not exist. Also used to hide existence of private resources
405	Method Not Allowed	HTTP method not supported for this endpoint. Send Allow header listing valid methods
409	Conflict	State conflict — duplicate resource, optimistic lock failure
410	Gone	Resource permanently deleted. Unlike 404, signals it existed before
422	Unprocessable Entity	Validation error — request well-formed but semantically invalid. Common in REST APIs
429	Too Many Requests	Rate limit exceeded. Send Retry-After and X-RateLimit-* headers

5xx — Server Errors

Code	Name	When to use
500	Internal Server Error	Unexpected server error. Log the error, return generic message to client
501	Not Implemented	HTTP method not supported by server at all
502	Bad Gateway	Upstream server returned invalid response — reverse proxy / CDN issue
503	Service Unavailable	Server temporarily unavailable — maintenance, overload. Send Retry-After
504	Gateway Timeout	Upstream server timed out — reverse proxy / CDN issue

Headers that go with specific codes

Status	Required/common headers
201 Created	Location: /api/resources/123
301/302/307/308	Location: https://new-url.com
304 Not Modified	ETag, Cache-Control, Expires
401 Unauthorized	WWW-Authenticate: Bearer realm="api"
405 Method Not Allowed	Allow: GET, POST, OPTIONS
429 Too Many Requests	Retry-After: 60, X-RateLimit-Limit: 100
503 Service Unavailable	Retry-After: 120

Common confusions

401 vs 403 — 401 means "who are you?" (not authenticated). 403 means "I know who you are, but no" (not authorized).
302 vs 307 — 302 browsers change POST to GET on redirect. 307 preserves the method. Use 307 for API redirects.
404 vs 410 — 404 is "not found". 410 is "existed, now gone permanently". Search engines stop trying 410 URLs faster.
500 vs 503 — 500 is a bug. 503 is intentional downtime. Use 503 for maintenance windows so load balancers handle it correctly.

Scan your security headers → HeadersFixer