4xx Client Error HTTP Status Codes
4xx responses indicate that the client’s request contains an error — bad syntax, unauthorized access, or a request for something that does not exist. The problem is in the request, not the server.
Common 4xx Codes
| Code | Name | Summary | Guide |
|---|---|---|---|
| 400 | Bad Request | Malformed request syntax, invalid parameters, or missing required fields. | Guide |
| 401 | Unauthorized | Not authenticated. Provide credentials and retry. | Guide |
| 402 | Payment Required | Reserved. Informally used to indicate subscription or credit requirements. | Guide |
| 403 | Forbidden | Authenticated but not authorized. Credentials are valid but insufficient. | Guide |
| 404 | Not Found | Resource does not exist at this URL. | Guide |
| 405 | Method Not Allowed | HTTP method is not supported on this endpoint. Check the Allow header. | Guide |
| 406 | Not Acceptable | Server cannot produce a response matching the client’s Accept headers. | Guide |
| 408 | Request Timeout | Server timed out waiting for the client to finish sending the request. | Guide |
| 409 | Conflict | Request conflicts with current state of the resource (duplicate, version mismatch). | Guide |
| 410 | Gone | Resource was permanently deleted and will not return. Remove from caches. | Guide |
| 411 | Length Required | Server requires Content-Length header; chunked transfer encoding not accepted. | Guide |
| 412 | Precondition Failed | Conditional request failed; resource changed since last read (ETag mismatch). | Guide |
| 413 | Content Too Large | Request body exceeds the server’s size limit. | Guide |
| 414 | URI Too Long | Request URL exceeds the server’s maximum URL length. | Guide |
| 415 | Unsupported Media Type | Content-Type header is not supported by this endpoint. | Guide |
| 416 | Range Not Satisfiable | Range header specifies bytes outside the file’s bounds. | Guide |
| 417 | Expectation Failed | Server cannot meet the requirements of the Expect header. | Guide |
| 418 | I’m a Teapot | April Fools joke (RFC 2324). Officially registered; never to be used for real errors. | Guide |
| 421 | Misdirected Request | HTTP/2: request sent to a server unable to produce a response for the target URI. | Guide |
| 422 | Unprocessable Content | Request body is syntactically valid but semantically invalid (validation failure). | Guide |
| 425 | Too Early | TLS 1.3: server refuses to process 0-RTT early data due to replay risk. | Guide |
| 428 | Precondition Required | Server requires a conditional request; no If-Match header was sent. | Guide |
| 429 | Too Many Requests | Rate limit exceeded. Retry after the Retry-After period. | Guide |
| 431 | Request Header Fields Too Large | One or more request headers exceed the server’s size limits. | Guide |
| 451 | Unavailable For Legal Reasons | Resource withheld due to legal demands (DMCA, government order). | Guide |
Authentication vs. Authorization: 401 vs. 403
The most common point of confusion in the 4xx range: 401 Unauthorized and 403 Forbidden are frequently mixed up. The distinction is about what the server knows about the client’s identity.
401 Unauthorized means the server does not know who the client is. No credentials were provided, or the provided credentials are invalid (wrong password, expired token). The client can fix this by providing valid credentials. The response must include a WWW-Authenticate header describing the authentication scheme.
403 Forbidden means the server knows who the client is, but that identity is not allowed to perform the requested action. The user is authenticated but not authorized. Providing different credentials might help (if you have an admin account), but the same credentials will always produce 403 for this resource.
The naming is historically confusing: “Unauthorized” really means “Unauthenticated.” This was a mistake in the original HTTP/1.0 spec that has been preserved for backward compatibility.
Validation Errors: 400 vs. 422
400 Bad Request and 422 Unprocessable Content both reject a request body, but for different reasons. 400 is for requests that cannot be parsed or are structurally invalid: malformed JSON, missing required query parameters, invalid URL encoding. 422 is for requests that are syntactically valid but semantically invalid: a well-formed JSON body where a required field has an invalid value, or business logic constraints are violated.
In practice, many APIs return 400 for all validation errors. Using 422 for semantic validation errors is more precise and helps API clients distinguish between “I sent garbage” (400) and “I sent valid JSON but the values were wrong” (422). The Django REST Framework, FastAPI, and Rails use 422 for model validation failures.
404 vs. 410: Temporary vs. Permanent Absence
404 Not Found is the most common 4xx error. It means the resource does not exist at this URL right now — but it might in the future, or it might have existed at some point. Search engines continue indexing the URL as potentially valid.
410 Gone means the resource permanently no longer exists and will never come back. Search engines should de-index the URL faster than they would for a 404. Use 410 when you delete a resource and want search engines to remove it from their index: a deleted blog post, a discontinued product page, a removed user profile.