Quiz Entry - updated: 2026.07.14
What do the most common HTTP response codes mean?
The first digit groups them: 2xx success, 3xx redirect, 4xx client error, 5xx server error.
| Code | Meaning | When you see it |
|---|---|---|
| 200 OK | Success with body | Normal page load |
| 204 No Content | Success, no body | API DELETE; "saved" with nothing to show |
| 301 Moved Permanently | Permanent redirect | HTTP→HTTPS upgrade, old URL forwarding |
| 302 Found | Temporary redirect | Login redirect, A/B test |
| 304 Not Modified | Use cached copy | Conditional If-Modified-Since |
| 400 Bad Request | Malformed request | Bad JSON, missing required parameter |
| 403 Forbidden | Authenticated but not authorized | Wrong user role |
| 404 Not Found | Resource doesn't exist | Typo'd URL, deleted page |
| 500 Internal Server Error | Server bug | Unhandled exception |
Security notes:
- 401 vs 403: 401 means "you haven't authenticated"; 403 means "you authenticated but you're not allowed." Mixing them up leaks information.
- 404 vs 403: returning 404 for "exists but forbidden" hides the existence of resources — useful for things like private GitHub repos.
- 500 should not leak stack traces to the user; they belong in logs only.
Tip: 4xx = your fault, 5xx = my fault. It's the quickest way to remember the boundary.