A glance at HTTP codes and methods

More and more lately I have to speak in HTTP status codes and I'm not fluent. So I thought a round-up of the more common codes would be good.

Firstly you need to know that each code is three digits and the first digit means something.

  • 1xx – Reserved for informational responses only
  • 2xx – A success!
  • 3xx –Redirection, the client needs to take action to complete the request based on this code
  • 4xx – A client error. May or may not be temporary depending on the reason.
  • 5xx – A server error. The request was valid but the server failed to respond correctly

The most common codes for me have been:

  • 200 – OK, the request was a success
  • 201 – Created, a success and a new resource was created
  • 204 – Success, but no content returned
  • 400 – Some part of the client request is deemed to be “bad” by the server
  • 401- Unauthorized – the client needs to log in
  • 403 – Forbidden – the client is logged in but still isn't allowed to access the requested resource
  • 404 – Resource not found – it might be there in the future though
  • 409 – Conflict. An example would be where the client tries to edit a resource that has already been edited by another client.
  • 418 is a useful one to know – if you’re a teapot! “Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.” (An April fool’s joke)
  • 429 – Too many requests. Used a lot when a site applies throttling to the number of requests that are allowed in a given time period.
  • 500 – Internal server error – Something went wrong the error message may give more detail.
  • 503 – Service unavailable. Usually temporary, for example if a service was getting unusually high load

In general if a request is successful then the response is likely to be 200 if it has content, 204 if it has none and 201 if you’re creating a resource.

To a degree responses can be open to interpretation as there isn't going to be a code for every eventuality, so you may end up using a code that sounds vaguely like what you want.

Most common HTTP Methods:

  • GET - gets a resource to be returned in the response body (200). Should never update or create anything
  • HEAD – as GET, but expects only meta-information in the response header, with no body (204).
  • POST – a create request that should create data based on information in the request. You would typically get a copy of the newly created object in the response (200)
  • PUT – an update to a resource based on the request. Can create the resource if the data doesn't already exist. You would typically get a copy of the newly updated object in the response, with a 200.
  • DELETE – deletes a resource. Can return an empty response(204)
  • PATCH – applies a partial update to a resource. This is different to a PUT because here you don’t need to supply the full resource, you can supply one or many fields of the resource to be updated.

GET, HEAD, PUT and DELETE should be idempotent (sorry, I've always wanted to use that word in context!).

There are more HTTP methods and more HTTP status codes. For the full list you can take a look at wikipedia, although you may find the full list a bit too much to take in at once!

Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.

My Pluralsight Courses: (Get a free Pluaralsight trial)

API Security with the OWASP API Security Top 10

OWASP Top 10: What's New

API Security with the OWASP API Security Top 10

Secure Coding in ASP.NET Core

Secure Coding: Broken Access Control

Python Secure Coding Playbook

You've successfully subscribed to Gavin Johnson-Lynn!