{"id":7287,"date":"2026-05-30T13:30:40","date_gmt":"2026-05-30T13:30:40","guid":{"rendered":"https:\/\/dcmblogmulti.wpengine.com\/?p=7287"},"modified":"2026-05-31T20:27:25","modified_gmt":"2026-05-31T20:27:25","slug":"the-10-most-common-http-status-codes","status":"publish","type":"post","link":"https:\/\/www.dotcom-monitor.com\/blog\/the-10-most-common-http-status-codes\/","title":{"rendered":"The Most Common HTTP Status Codes (And What to Do About Each)"},"content":{"rendered":"<figure id=\"attachment_33970\" aria-describedby=\"caption-attachment-33970\" style=\"width: 1536px\" class=\"wp-caption alignnone\"><img fetchpriority=\"high\" decoding=\"async\" class=\"size-full wp-image-33970\" src=\"https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/hero-http-status-codes.webp\" alt=\"Visual reference of the most common HTTP status codes grouped by category\u20142xx success, 3xx redirection, 4xx client error, 5xx server error\" width=\"1536\" height=\"1024\" srcset=\"https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/hero-http-status-codes.webp 1536w, https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/hero-http-status-codes-300x200.webp 300w, https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/hero-http-status-codes-1024x683.webp 1024w, https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/hero-http-status-codes-768x512.webp 768w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><figcaption id=\"caption-attachment-33970\" class=\"wp-caption-text\">The five HTTP status code categories and the codes you&#8217;ll actually see in production.<\/figcaption><\/figure>\n<p>Your pager fires at 2 a.m. The alert payload has a status code in it. What you do next depends almost entirely on which code you see.<\/p>\n<p>That&#8217;s the part most HTTP status code guides skip. They list definitions, sort the codes into five buckets, and stop. Useful as a glossary, less useful when a real endpoint is throwing 502s and an exec is asking why checkout is broken.<\/p>\n<p>This guide covers the same ten codes you&#8217;ll see most often, plus a few honorable mentions. For each one: what it means, what usually triggers it in production, and what to check first. The goal is to shorten the time between &#8220;I see the code&#8221; and &#8220;I know what to fix.&#8221;<\/p>\n<h2 id='what-is-an-http-status-code'  id=\"boomdevs_1\">What Is an HTTP Status Code?<\/h2>\n<p>An HTTP status code is a three-digit number the server sends back with every response. It tells the client whether the request succeeded, failed, or needs to be redirected. You see them everywhere: in your browser&#8217;s DevTools Network tab, in load balancer logs, in monitoring alerts, in CDN dashboards. This guide focuses on the ones that actually wake people up.<\/p>\n<h2 id='the-five-categories-of-http-status-codes'  id=\"boomdevs_2\">The Five Categories of HTTP Status Codes<\/h2>\n<p>The first digit of the code tells you the response class:<\/p>\n<ul>\n<li><strong>1xx Informational.<\/strong> Rare in day-to-day work. Mostly used for protocol negotiation (100 Continue, 101 Switching Protocols for WebSocket upgrades).<\/li>\n<li><strong>2xx Success.<\/strong> The request worked. 200 is the default; 201 means a resource was created; 204 means success with no body.<\/li>\n<li><strong>3xx Redirection.<\/strong> The resource lives somewhere else. Browsers and crawlers follow these automatically up to a limit.<\/li>\n<li><strong>4xx Client Error.<\/strong> The request was wrong. Bad URL, missing auth, blocked permissions, malformed payload.<\/li>\n<li><strong>5xx Server Error.<\/strong> The request was fine. The server failed to fulfill it.<\/li>\n<\/ul>\n<p>The split between 4xx and 5xx is the part that matters most for triage. A 4xx says &#8220;the caller did something wrong.&#8221; A 5xx says &#8220;we did something wrong.&#8221; The first goes to whoever called the endpoint. The second goes to you.<\/p>\n<p>For a full enumeration, the <a href=\"https:\/\/www.dotcom-monitor.com\/wiki\/knowledge-base\/http-status-codes-list\/\">complete HTTP status code reference<\/a> in the Dotcom-Monitor wiki lists every code defined in the spec. The rest of this guide focuses on the ones that actually show up in alerts.<\/p>\n<h2 id='the-ten-most-common-http-status-codes'  id=\"boomdevs_3\">The Ten Most Common HTTP Status Codes<\/h2>\n<h3 id='200-ok'  id=\"boomdevs_4\">200 OK<\/h3>\n<p>The server processed the request and returned the expected response. This is the code you want to see on the vast majority of requests to a healthy production site.<\/p>\n<p><strong>Watch out for:<\/strong> a 200 OK is not proof that the page is correct. JavaScript can fail silently and render a blank page. An API can return 200 with an error body. A login form can show &#8220;invalid credentials&#8221; inside a 200 response. Status-code-only checks miss these. Pair them with real-browser checks (more on this below).<\/p>\n<h3 id='301-moved-permanently'  id=\"boomdevs_5\">301 Moved Permanently<\/h3>\n<p>The resource has a new permanent URL. Browsers cache the redirect aggressively. Search engines transfer most link equity to the target.<\/p>\n<p><strong>Use it for:<\/strong> URL changes after a site migration, swapping HTTP to HTTPS, consolidating duplicate paths, retiring old slugs. Once a 301 is live and cached, rolling it back is painful\u2014browsers and crawlers will keep going to the new location for weeks.<\/p>\n<h3 id='302-found-temporary-redirect'  id=\"boomdevs_6\">302 Found (Temporary Redirect)<\/h3>\n<p>The resource is temporarily somewhere else. Browsers do not cache the redirect, and search engines do not pass full link equity.<\/p>\n<p><strong>Watch out for:<\/strong> 302 is overused. Teams reach for it because the framework default redirect helper returns 302. If the move is permanent, use 301. If you need to preserve the HTTP method (POST stays POST), use 307 or 308 instead. Google will eventually treat persistent 302s as 301s, but &#8220;eventually&#8221; isn&#8217;t a strategy.<\/p>\n<h3 id='400-bad-request'  id=\"boomdevs_7\">400 Bad Request<\/h3>\n<p>The server can&#8217;t parse the request. Malformed JSON, invalid headers, oversized payloads, schema violations.<\/p>\n<p><strong>Check first:<\/strong> the request body. A spike in 400s on an API endpoint usually means a client started sending the wrong shape\u2014a deploy on the consumer side, a schema change on yours, or a third-party integration that updated their format. Diff the request payload against your last known good version.<\/p>\n<h3 id='401-unauthorized'  id=\"boomdevs_8\">401 Unauthorized<\/h3>\n<p>The request has no credentials, or credentials that were rejected. The name is misleading\u2014the issue is authentication, not authorization.<\/p>\n<p><strong>Check first:<\/strong> tokens. A sudden 401 spike on previously working endpoints often means a token expired, a signing key rotated, an OIDC provider had an outage, or someone changed the audience claim. If your <a href=\"https:\/\/www.dotcom-monitor.com\/blog\/api-availability-monitoring\/\">API availability monitoring<\/a> shows 401s where 200s used to live, the auth layer is usually the culprit.<\/p>\n<h3 id='403-forbidden'  id=\"boomdevs_9\">403 Forbidden<\/h3>\n<p>The credentials are valid, but the caller is not allowed to access this resource. The issue is authorization, not authentication.<\/p>\n<p><strong>Check first:<\/strong> permissions and infrastructure rules. 403s show up when an IAM policy changes, a WAF rule starts blocking legitimate traffic, a CDN access policy gets too aggressive, or a feature flag flips for the wrong user segment. If 403s started right after a deploy, look at policy and config diffs before app code.<\/p>\n<h3 id='404-not-found'  id=\"boomdevs_10\">404 Not Found<\/h3>\n<p>The server understood the request but has no resource at that URL. The most famous status code in existence.<\/p>\n<p><strong>Two scenarios to separate:<\/strong><\/p>\n<ul>\n<li><strong>One-off 404s<\/strong> from typos, old bookmarks, or crawlers probing for vulnerabilities. These are background noise.<\/li>\n<li><strong>A burst of 404s on canonical URLs<\/strong> right after a deploy. That&#8217;s a broken release\u2014routes got dropped, a build artifact is missing, or someone shipped a slug change without redirects. Roll back or push a hotfix.<\/li>\n<\/ul>\n<p>Persistent 404s on indexed pages will eventually get de-indexed by Google, so canonical pages throwing 404 also have an SEO cost.<\/p>\n<h4 id='fixing-it'  id=\"boomdevs_11\">Fixing It<\/h4>\n<p><strong>Quick path:<\/strong> if the page moved, add a 301 redirect from the old URL to the new one so users and crawlers land in the right place. If the page is truly gone, return a real 404 or 410 rather than a vague homepage redirect.<\/p>\n<p><strong>Real fix:<\/strong> audit the source of the 404s. Broken internal links get fixed at the source; missing routes after a deploy get a hotfix; a bad migration that dropped slugs needs a redirect map. Crawl your own site periodically so you find dead links before Google does.<\/p>\n<h3 id='500-internal-server-error'  id=\"boomdevs_12\">500 Internal Server Error<\/h3>\n<p>The server hit an unhandled exception. The catch-all 5xx. It tells you something broke but not what.<\/p>\n<p><strong>Check first:<\/strong> application logs. Every 500 has a stack trace somewhere\u2014if it doesn&#8217;t, your logging needs work before your code does. Common triggers: an uncaught exception in a recently deployed code path, a downstream dependency returning an unexpected shape, a database connection pool exhausted, an out-of-memory restart loop. A sustained 500 spike on a production endpoint should page on-call.<\/p>\n<h4 id='fixing-it-1'  id=\"boomdevs_13\">Fixing It<\/h4>\n<p><strong>Quick path:<\/strong> if the spike started right after a release, roll back. A 500 that appears within minutes of a deploy is the deploy until proven otherwise.<\/p>\n<p><strong>Real fix:<\/strong> read the stack trace and patch the failing code path, then add a regression test so it doesn&#8217;t come back. If the trigger was a resource ceiling\u2014connection pool, memory, file handles\u2014raise the limit and add an alert before you hit it next time.<\/p>\n<h3 id='502-bad-gateway'  id=\"boomdevs_14\">502 Bad Gateway<\/h3>\n<p>A proxy, load balancer, or CDN got an invalid response from the upstream server. The proxy itself is healthy. The thing behind it is not.<\/p>\n<p><strong>Check first:<\/strong> upstream health. Common triggers: an app container crashed and the load balancer is still routing to it, the upstream is timing out before responding, a Kubernetes pod is in CrashLoopBackOff, an Nginx worker is misconfigured, or the connection between proxy and upstream got reset. 502 is one of the highest-signal codes for layered architectures\u2014it tells you the edge is fine and the problem is one hop in.<\/p>\n<h4 id='fixing-it-2'  id=\"boomdevs_15\">Fixing It<\/h4>\n<p><strong>Quick path:<\/strong> restart or replace the unhealthy upstream instance and confirm the load balancer&#8217;s health checks are actually removing dead nodes from rotation.<\/p>\n<p><strong>Real fix:<\/strong> find why the upstream returned garbage. Check whether the proxy&#8217;s timeout is shorter than the upstream&#8217;s real response time, whether the pod is crash-looping on startup, and whether keep-alive settings match on both sides of the connection.<\/p>\n<h3 id='503-service-unavailable'  id=\"boomdevs_16\">503 Service Unavailable<\/h3>\n<p>The server is temporarily unable to handle the request. Capacity exhausted, maintenance mode, autoscaler still spinning up.<\/p>\n<p><strong>Check first:<\/strong> resource saturation and rate limits. 503s during a traffic spike usually mean the autoscaler can&#8217;t keep up or you&#8217;ve hit a connection limit. 503s in a steady state usually mean a process is in maintenance mode or a queue is backed up. Some platforms also return 503 when an upstream WAF or anti-bot system rate-limits a caller\u2014worth checking before assuming the app is the problem.<\/p>\n<h4 id='fixing-it-3'  id=\"boomdevs_17\">Fixing It<\/h4>\n<p><strong>Quick path:<\/strong> return the 503 with a <code>Retry-After<\/code> header so well-behaved clients and crawlers back off instead of hammering a struggling server. In PHP:<\/p>\n<pre><code>http_response_code(503);\r\nheader('Retry-After: 60');<\/code><\/pre>\n<p><strong>Real fix:<\/strong> find the saturated resource\u2014database connections, worker pool, autoscaler ceiling\u2014and remove the bottleneck. If the 503 came from a CDN or WAF rate limit, raise the limit or allowlist the legitimate caller.<\/p>\n<h2 id='other-codes-worth-knowing'  id=\"boomdevs_18\">Other Codes Worth Knowing<\/h2>\n<p>The ten above cover most production traffic. But a handful of others show up often enough in real incidents that on-call engineers should know them on sight.<\/p>\n<ul>\n<li><strong>304 Not Modified.<\/strong> Sent when a cached resource is still fresh. Common in CDN-fronted traffic. A drop in 304s can mean your cache-control headers changed and you&#8217;re paying for origin bandwidth you used to save.<\/li>\n<li><strong>307 Temporary Redirect.<\/strong> Like 302, but preserves the HTTP method. A POST stays a POST. Use 307 instead of 302 when redirecting form submissions or non-idempotent API calls.<\/li>\n<li><strong>308 Permanent Redirect.<\/strong> Like 301, but preserves the HTTP method. The modern choice when permanently redirecting API endpoints that handle POST, PUT, PATCH, or DELETE.<\/li>\n<li><strong>429 Too Many Requests.<\/strong> Rate limit hit. You&#8217;re either being throttled by an upstream API or you&#8217;re throttling someone yourself. Check <code>Retry-After<\/code> headers; respect them.<\/li>\n<li><strong>504 Gateway Timeout.<\/strong> A proxy gave up waiting for the upstream. Different from 502 in that the upstream didn&#8217;t return a bad response\u2014it returned no response in time. Usually a long-running query, a frozen worker, or a downstream API that&#8217;s slow.<\/li>\n<\/ul>\n<h3 id='301-vs-302-vs-307-vs-308'  id=\"boomdevs_19\">301 vs 302 vs 307 vs 308<\/h3>\n<p>The four redirect codes get mixed up constantly. The difference comes down to two things: whether the move is permanent, and whether the HTTP method survives the redirect.<\/p>\n<div class=\"table-wrap\">\n<table class=\"compare\">\n<thead>\n<tr>\n<th>Behavior<\/th>\n<th>301<\/th>\n<th>302<\/th>\n<th>307<\/th>\n<th>308<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Permanence<\/td>\n<td>Permanent<\/td>\n<td>Temporary<\/td>\n<td>Temporary<\/td>\n<td>Permanent<\/td>\n<\/tr>\n<tr>\n<td>Method preserved<\/td>\n<td>Not guaranteed<\/td>\n<td>Not guaranteed<\/td>\n<td>Yes<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>Cached by browsers<\/td>\n<td>Aggressively<\/td>\n<td>No<\/td>\n<td>No<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>Link equity passed<\/td>\n<td>Most<\/td>\n<td>Limited<\/td>\n<td>Limited<\/td>\n<td>Most<\/td>\n<\/tr>\n<tr>\n<td>Use when<\/td>\n<td>Permanent URL move<\/td>\n<td>Short-lived change<\/td>\n<td>Form or POST redirect<\/td>\n<td>API endpoint moved for good<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>For a plain page that moved for good, use 301. When the redirect has to keep a POST as a POST\u2014a form submission or a non-idempotent API call\u2014reach for 307 if the move is temporary or 308 if it&#8217;s permanent.<\/p>\n<h2 id='the-complete-http-status-code-reference'  id=\"boomdevs_20\">The Complete HTTP Status Code Reference<\/h2>\n<p>The codes above cover almost everything that fires a real alert. For the unusual ones\u2014the codes that show up once a quarter and make you stop and look something up\u2014here is the full standard list, plus the non-standard codes you&#8217;ll see from common infrastructure vendors.<\/p>\n<h3 id='1xx-informational'  id=\"boomdevs_21\">1xx Informational<\/h3>\n<p>The server has received the request and is continuing to process it. You&#8217;ll rarely see these in application logs because most clients and proxies handle them transparently.<\/p>\n<div class=\"table-wrap\">\n<table>\n<thead>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>100<\/td>\n<td>Continue<\/td>\n<\/tr>\n<tr>\n<td>101<\/td>\n<td>Switching Protocols<\/td>\n<\/tr>\n<tr>\n<td>102<\/td>\n<td>Processing<\/td>\n<\/tr>\n<tr>\n<td>103<\/td>\n<td>Early Hints<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h3 id='2xx-success'  id=\"boomdevs_22\">2xx Success<\/h3>\n<p>The request was received, understood, and accepted. 200 is the workhorse; the rest matter when you&#8217;re building APIs or working with partial content, WebDAV, or batch operations.<\/p>\n<div class=\"table-wrap\">\n<table>\n<thead>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>200<\/td>\n<td>OK<\/td>\n<\/tr>\n<tr>\n<td>201<\/td>\n<td>Created<\/td>\n<\/tr>\n<tr>\n<td>202<\/td>\n<td>Accepted<\/td>\n<\/tr>\n<tr>\n<td>203<\/td>\n<td>Non-Authoritative Information<\/td>\n<\/tr>\n<tr>\n<td>204<\/td>\n<td>No Content<\/td>\n<\/tr>\n<tr>\n<td>205<\/td>\n<td>Reset Content<\/td>\n<\/tr>\n<tr>\n<td>206<\/td>\n<td>Partial Content<\/td>\n<\/tr>\n<tr>\n<td>207<\/td>\n<td>Multi-Status<\/td>\n<\/tr>\n<tr>\n<td>208<\/td>\n<td>Already Reported<\/td>\n<\/tr>\n<tr>\n<td>226<\/td>\n<td>IM Used<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h3 id='3xx-redirection'  id=\"boomdevs_23\">3xx Redirection<\/h3>\n<p>The resource lives somewhere else, or the cached copy is still good. 301 and 302 dominate; the rest matter for APIs (307\/308 preserve the HTTP method) and caching pipelines (304 saves origin bandwidth).<\/p>\n<div class=\"table-wrap\">\n<table>\n<thead>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>300<\/td>\n<td>Multiple Choices<\/td>\n<\/tr>\n<tr>\n<td>301<\/td>\n<td>Moved Permanently<\/td>\n<\/tr>\n<tr>\n<td>302<\/td>\n<td>Found<\/td>\n<\/tr>\n<tr>\n<td>303<\/td>\n<td>See Other<\/td>\n<\/tr>\n<tr>\n<td>304<\/td>\n<td>Not Modified<\/td>\n<\/tr>\n<tr>\n<td>305<\/td>\n<td>Use Proxy (deprecated)<\/td>\n<\/tr>\n<tr>\n<td>306<\/td>\n<td>Switch Proxy (unused)<\/td>\n<\/tr>\n<tr>\n<td>307<\/td>\n<td>Temporary Redirect<\/td>\n<\/tr>\n<tr>\n<td>308<\/td>\n<td>Permanent Redirect<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h3 id='4xx-client-errors'  id=\"boomdevs_24\">4xx Client Errors<\/h3>\n<p>The request was wrong. Most of these you&#8217;ll never see; the half-dozen common ones show up daily. Worth knowing the rare ones exist so you don&#8217;t waste time guessing when a 418 or 451 lands in a log.<\/p>\n<div class=\"table-wrap\">\n<table>\n<thead>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>400<\/td>\n<td>Bad Request<\/td>\n<\/tr>\n<tr>\n<td>401<\/td>\n<td>Unauthorized<\/td>\n<\/tr>\n<tr>\n<td>402<\/td>\n<td>Payment Required<\/td>\n<\/tr>\n<tr>\n<td>403<\/td>\n<td>Forbidden<\/td>\n<\/tr>\n<tr>\n<td>404<\/td>\n<td>Not Found<\/td>\n<\/tr>\n<tr>\n<td>405<\/td>\n<td>Method Not Allowed<\/td>\n<\/tr>\n<tr>\n<td>406<\/td>\n<td>Not Acceptable<\/td>\n<\/tr>\n<tr>\n<td>407<\/td>\n<td>Proxy Authentication Required<\/td>\n<\/tr>\n<tr>\n<td>408<\/td>\n<td>Request Timeout<\/td>\n<\/tr>\n<tr>\n<td>409<\/td>\n<td>Conflict<\/td>\n<\/tr>\n<tr>\n<td>410<\/td>\n<td>Gone<\/td>\n<\/tr>\n<tr>\n<td>411<\/td>\n<td>Length Required<\/td>\n<\/tr>\n<tr>\n<td>412<\/td>\n<td>Precondition Failed<\/td>\n<\/tr>\n<tr>\n<td>413<\/td>\n<td>Payload Too Large<\/td>\n<\/tr>\n<tr>\n<td>414<\/td>\n<td>URI Too Long<\/td>\n<\/tr>\n<tr>\n<td>415<\/td>\n<td>Unsupported Media Type<\/td>\n<\/tr>\n<tr>\n<td>416<\/td>\n<td>Range Not Satisfiable<\/td>\n<\/tr>\n<tr>\n<td>417<\/td>\n<td>Expectation Failed<\/td>\n<\/tr>\n<tr>\n<td>418<\/td>\n<td>I&#8217;m a teapot<\/td>\n<\/tr>\n<tr>\n<td>421<\/td>\n<td>Misdirected Request<\/td>\n<\/tr>\n<tr>\n<td>422<\/td>\n<td>Unprocessable Content<\/td>\n<\/tr>\n<tr>\n<td>423<\/td>\n<td>Locked<\/td>\n<\/tr>\n<tr>\n<td>424<\/td>\n<td>Failed Dependency<\/td>\n<\/tr>\n<tr>\n<td>425<\/td>\n<td>Too Early<\/td>\n<\/tr>\n<tr>\n<td>426<\/td>\n<td>Upgrade Required<\/td>\n<\/tr>\n<tr>\n<td>428<\/td>\n<td>Precondition Required<\/td>\n<\/tr>\n<tr>\n<td>429<\/td>\n<td>Too Many Requests<\/td>\n<\/tr>\n<tr>\n<td>431<\/td>\n<td>Request Header Fields Too Large<\/td>\n<\/tr>\n<tr>\n<td>451<\/td>\n<td>Unavailable For Legal Reasons<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h3 id='5xx-server-errors'  id=\"boomdevs_25\">5xx Server Errors<\/h3>\n<p>The request was fine. Something on the server side failed. These are the codes most likely to wake somebody up.<\/p>\n<div class=\"table-wrap\">\n<table>\n<thead>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>500<\/td>\n<td>Internal Server Error<\/td>\n<\/tr>\n<tr>\n<td>501<\/td>\n<td>Not Implemented<\/td>\n<\/tr>\n<tr>\n<td>502<\/td>\n<td>Bad Gateway<\/td>\n<\/tr>\n<tr>\n<td>503<\/td>\n<td>Service Unavailable<\/td>\n<\/tr>\n<tr>\n<td>504<\/td>\n<td>Gateway Timeout<\/td>\n<\/tr>\n<tr>\n<td>505<\/td>\n<td>HTTP Version Not Supported<\/td>\n<\/tr>\n<tr>\n<td>506<\/td>\n<td>Variant Also Negotiates<\/td>\n<\/tr>\n<tr>\n<td>507<\/td>\n<td>Insufficient Storage<\/td>\n<\/tr>\n<tr>\n<td>508<\/td>\n<td>Loop Detected<\/td>\n<\/tr>\n<tr>\n<td>510<\/td>\n<td>Not Extended<\/td>\n<\/tr>\n<tr>\n<td>511<\/td>\n<td>Network Authentication Required<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h3 id='non-standard-and-vendor-codes'  id=\"boomdevs_26\">Non-Standard and Vendor Codes<\/h3>\n<p>Cloudflare, Nginx, Microsoft, and Akamai all return codes outside the official spec when their infrastructure layer fails. These are the ones to recognize on sight because they tell you the failure is in the edge, not your origin.<\/p>\n<div class=\"table-wrap\">\n<table>\n<thead>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>419<\/td>\n<td>Authentication Timeout<\/td>\n<\/tr>\n<tr>\n<td>420<\/td>\n<td>Enhance Your Calm \/ Method Failure<\/td>\n<\/tr>\n<tr>\n<td>440<\/td>\n<td>Login Timeout (Microsoft)<\/td>\n<\/tr>\n<tr>\n<td>444<\/td>\n<td>No Response (Nginx)<\/td>\n<\/tr>\n<tr>\n<td>449<\/td>\n<td>Retry With (Microsoft)<\/td>\n<\/tr>\n<tr>\n<td>450<\/td>\n<td>Blocked by Windows Parental Controls<\/td>\n<\/tr>\n<tr>\n<td>460<\/td>\n<td>Client Closed Connection<\/td>\n<\/tr>\n<tr>\n<td>494<\/td>\n<td>Request Header Too Large (Nginx)<\/td>\n<\/tr>\n<tr>\n<td>495<\/td>\n<td>SSL Certificate Error (Nginx)<\/td>\n<\/tr>\n<tr>\n<td>496<\/td>\n<td>SSL Certificate Required (Nginx)<\/td>\n<\/tr>\n<tr>\n<td>497<\/td>\n<td>HTTP Request Sent to HTTPS Port<\/td>\n<\/tr>\n<tr>\n<td>498<\/td>\n<td>Invalid Token<\/td>\n<\/tr>\n<tr>\n<td>499<\/td>\n<td>Client Closed Request (Nginx)<\/td>\n<\/tr>\n<tr>\n<td>509<\/td>\n<td>Bandwidth Limit Exceeded<\/td>\n<\/tr>\n<tr>\n<td>520<\/td>\n<td>Unknown Error (Cloudflare)<\/td>\n<\/tr>\n<tr>\n<td>521<\/td>\n<td>Web Server Is Down (Cloudflare)<\/td>\n<\/tr>\n<tr>\n<td>522<\/td>\n<td>Connection Timed Out (Cloudflare)<\/td>\n<\/tr>\n<tr>\n<td>523<\/td>\n<td>Origin Is Unreachable (Cloudflare)<\/td>\n<\/tr>\n<tr>\n<td>524<\/td>\n<td>A Timeout Occurred (Cloudflare)<\/td>\n<\/tr>\n<tr>\n<td>525<\/td>\n<td>SSL Handshake Failed (Cloudflare)<\/td>\n<\/tr>\n<tr>\n<td>526<\/td>\n<td>Invalid SSL Certificate (Cloudflare)<\/td>\n<\/tr>\n<tr>\n<td>527<\/td>\n<td>Railgun Error (Cloudflare)<\/td>\n<\/tr>\n<tr>\n<td>529<\/td>\n<td>Site Overloaded<\/td>\n<\/tr>\n<tr>\n<td>530<\/td>\n<td>Site Frozen \/ Origin DNS Error<\/td>\n<\/tr>\n<tr>\n<td>561<\/td>\n<td>Unauthorized (Akamai)<\/td>\n<\/tr>\n<tr>\n<td>598<\/td>\n<td>Network Read Timeout<\/td>\n<\/tr>\n<tr>\n<td>599<\/td>\n<td>Network Connect Timeout<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Code ranges not listed above (104-199, 209-225, 227-299, 309-399, 432-450, 452-499, 512-599) are either unassigned, deprecated, or reserved for vendor use. Treat any code in those ranges as vendor-specific and check your infrastructure&#8217;s documentation.<\/p>\n<h3 id='the-codes-your-monitoring-should-actually-alert-on'  id=\"boomdevs_27\">The Codes Your Monitoring Should Actually Alert On<\/h3>\n<p>Out of the 60+ codes above, the ones that earn alert thresholds in most production setups are a much shorter list:<\/p>\n<ul>\n<li><strong>200<\/strong>\u2014as a baseline ratio. A sudden drop means something else is going wrong.<\/li>\n<li><strong>301, 302, 307, 308<\/strong>\u2014redirect counts. Spikes can mean misconfigured routing or a deploy that broke canonical URLs.<\/li>\n<li><strong>400<\/strong>\u2014malformed requests. Usually a consumer-side change.<\/li>\n<li><strong>401, 403<\/strong>\u2014auth and permission failures. Often a token, IAM, or WAF change.<\/li>\n<li><strong>404<\/strong>\u2014missing resources. Background noise as one-offs; a release problem in bursts.<\/li>\n<li><strong>408<\/strong>\u2014client timeouts. Worth alerting at sustained rates; signals slow downstream calls.<\/li>\n<li><strong>429<\/strong>\u2014rate limiting. Either you&#8217;re being throttled or your throttle is too aggressive.<\/li>\n<li><strong>500, 502, 503, 504<\/strong>\u2014application, upstream, capacity, and gateway timeout failures. These page on-call.<\/li>\n<li><strong>520-526<\/strong>\u2014Cloudflare edge failures. If you&#8217;re behind Cloudflare, these are critical signals because they isolate the failure to the edge-to-origin path.<\/li>\n<\/ul>\n<p>Everything else is worth logging but rarely worth waking somebody up over.<\/p>\n<h2 id='how-to-check-the-http-status-code-of-a-page'  id=\"boomdevs_28\">How to Check the HTTP Status Code of a Page<\/h2>\n<p>Before you can act on a code, you have to see it. Three ways, from quickest to most thorough.<\/p>\n<h3 id='in-chrome-devtools'  id=\"boomdevs_29\">In Chrome DevTools<\/h3>\n<ol>\n<li>Open the page.<\/li>\n<li>Right-click anywhere and choose Inspect, then open the Network tab.<\/li>\n<li>Reload. The first document request shows the code in the Status column.<\/li>\n<\/ol>\n<h3 id='from-the-command-line'  id=\"boomdevs_30\">From the Command Line<\/h3>\n<p>A header-only request returns the status line without downloading the body:<\/p>\n<pre><code>c url -I https:\/\/example.com<\/code><\/pre>\n<p>The first line of the response is the status code\u2014for example, <code>HTTP\/2 200<\/code>.<\/p>\n<h3 id='at-scale'  id=\"boomdevs_31\">At Scale<\/h3>\n<p>Single-shot checks tell you the current state. They won&#8217;t catch the failure that happens at 3 a.m. and clears before you wake up. To catch intermittent failures, you need scheduled checks from multiple regions\u2014which is what <a href=\"https:\/\/www.dotcom-monitor.com\/solutions\/synthetic-monitoring\/\">synthetic monitoring<\/a> does.<\/p>\n<h2 id='when-a-200-ok-lies'  id=\"boomdevs_32\">When a 200 OK Lies<\/h2>\n<p>An e-commerce team gets paged at 11 a.m. on a Tuesday. Conversion is down 80 percent. They check their uptime dashboard. Every endpoint is green. Every status code is 200. Every region reports the site is up.<\/p>\n<p>The site is not up. A deploy 40 minutes earlier shipped a JavaScript bundle that throws on the checkout page. The HTML renders, the server returns 200, the status-code monitor sees 200, no alert fires. Users see a blank cart and bounce.<\/p>\n<p>This is the failure mode pure status-code monitoring can&#8217;t catch. The fix is layered:<\/p>\n<ul>\n<li><strong>Run real-browser checks<\/strong> on critical user paths\u2014home, search, product, cart, checkout. Real browsers execute the JavaScript and surface client-side errors that a curl-style check misses.<\/li>\n<li><strong>Watch for body-level signals<\/strong>: keyword presence, element visibility, expected response structure. Don&#8217;t trust the status code alone.<\/li>\n<li><strong>Tie deploys to monitoring<\/strong>: any check that goes from green to red within 15 minutes of a release should auto-tag the deploy. Half of post-mortem time is figuring out what changed; the monitoring system already knows.<\/li>\n<\/ul>\n<h3 id='what-is-a-soft-404'  id=\"boomdevs_33\">What Is a Soft 404?<\/h3>\n<p>One version of this problem has a name: the soft 404. A soft 404 is a page that returns 200 OK while telling the user the content doesn&#8217;t exist\u2014a &#8220;page not found&#8221; message served with a success code. Google&#8217;s guidance is to return a real 404 or 410 instead, because soft 404s waste crawl budget and confuse the index about which pages are real.<\/p>\n<p>Pure status-code monitoring won&#8217;t catch a soft 404, for the same reason it misses a broken checkout: the code says 200. Real-browser checks with body assertions\u2014looking for the actual content you expect, or the absence of a &#8220;not found&#8221; string\u2014will.<\/p>\n<h2 id='how-http-status-codes-affect-seo'  id=\"boomdevs_34\">How HTTP Status Codes Affect SEO<\/h2>\n<p>Search engines use status codes to decide what to crawl, what to index, and how often to come back. Three patterns matter:<\/p>\n<ul>\n<li><strong>4xx codes erode the index over time.<\/strong> A page that returns 404 for several crawl attempts gets dropped. If you delete a page, redirect it with 301 instead of letting it 404.<\/li>\n<li><strong>5xx codes slow crawling and damage rankings.<\/strong> Googlebot interprets persistent 5xx as &#8220;this site is unhealthy.&#8221; Crawl rate drops, indexing slows, rankings can fall.<\/li>\n<li><strong>301 vs 302 matters.<\/strong> 301 passes link equity. 302 is treated as temporary and may not. If the move is permanent, choose 301.<\/li>\n<\/ul>\n<p>The practical takeaway: 5xx errors aren&#8217;t just an availability problem. They&#8217;re an SEO problem that compounds the longer they persist. <a href=\"https:\/\/www.dotcom-monitor.com\/blog\/website-monitoring-errors-dns-tcp-tls-http\/\">DNS, TCP, TLS, and HTTP errors<\/a> each have a different SEO cost\u2014knowing which layer is failing helps you triage faster.<\/p>\n<figure id=\"attachment_33963\" aria-describedby=\"caption-attachment-33963\" style=\"width: 1536px\" class=\"wp-caption alignnone\"><img decoding=\"async\" class=\"size-full wp-image-33963\" src=\"https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/triage-flowchart.webp\" alt=\"Decision flowchart for triaging HTTP status code alerts\u2014which layer to check first, when to page on-call, when to roll back a deploy\" width=\"1536\" height=\"1024\" srcset=\"https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/triage-flowchart.webp 1536w, https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/triage-flowchart-300x200.webp 300w, https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/triage-flowchart-1024x683.webp 1024w, https:\/\/www.dotcom-monitor.com\/blog\/wp-content\/uploads\/sites\/3\/2024\/12\/triage-flowchart-768x512.webp 768w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><figcaption id=\"caption-attachment-33963\" class=\"wp-caption-text\">A simple triage path from status code to first investigation step.<\/figcaption><\/figure>\n<h2 id='monitoring-http-status-codes-without-drowning-in-alerts'  id=\"boomdevs_35\">Monitoring HTTP Status Codes Without Drowning in Alerts<\/h2>\n<p>Every team that monitors HTTP traffic eventually runs into the same problem: too many alerts, not enough signal. A few practices keep status code monitoring useful instead of noisy.<\/p>\n<p><strong>Alert on rates, not single requests.<\/strong> One 500 is noise. Fifty 500s in five minutes is an incident. Configure thresholds against your baseline traffic volume.<\/p>\n<p><strong>Separate user-facing endpoints from internal ones.<\/strong> A 500 on the checkout API should page. A 500 on an admin endpoint nobody&#8217;s hitting can wait until business hours.<\/p>\n<p><strong>Test from where your users are.<\/strong> A check from one data center won&#8217;t catch a regional CDN failure. Use a monitoring network with multiple geographies to spot location-specific issues before customers do.<\/p>\n<p><strong>Combine status checks with content checks.<\/strong> 200 OK is a starting point, not a finish line. Validate that the response contains what it should.<\/p>\n<p>Dotcom-Monitor&#8217;s <a href=\"https:\/\/www.dotcom-monitor.com\/products\/web-application-monitoring\/\">web application monitoring<\/a> handles all four: rate-based alerting, endpoint segmentation, global monitoring locations, and real-browser content checks. For API-heavy stacks, the <a href=\"https:\/\/www.dotcom-monitor.com\/products\/web-api-monitoring\/\">API monitoring<\/a> path adds schema validation and response-time SLOs on top of status code checks. Both feed the same <a href=\"https:\/\/www.dotcom-monitor.com\/features\/alerts\/\">alerting<\/a> pipeline so you&#8217;re not stitching together signals from three vendors.<\/p>\n<h2 id='closing-thoughts'  id=\"boomdevs_36\">Closing Thoughts<\/h2>\n<p>The most common HTTP status codes haven&#8217;t changed in years. 200, 301, 404, 500, 502, 503\u2014you&#8217;ll see all of them this week. What changes is how fast your team gets from &#8220;saw the code&#8221; to &#8220;fixed the cause.&#8221;<\/p>\n<p>That gap is where good monitoring pays off. Status codes alone tell you something happened. Layered checks\u2014status, content, real-browser, multi-region\u2014tell you what, where, and what to do next.<\/p>\n<p>If you want to see what that looks like, <a href=\"https:\/\/www.dotcom-monitor.com\/\">Dotcom-Monitor<\/a> has a free trial. Point it at one of your endpoints and see what it surfaces.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A practical reference for engineers who get paged when these codes show up.<\/p>\n","protected":false},"author":21,"featured_media":33970,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-7287","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-web-performance-tech-tips"],"_links":{"self":[{"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/posts\/7287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/comments?post=7287"}],"version-history":[{"count":0,"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/posts\/7287\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/media\/33970"}],"wp:attachment":[{"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/media?parent=7287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/categories?post=7287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dotcom-monitor.com\/blog\/wp-json\/wp\/v2\/tags?post=7287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}