400 vs 404: Bad Request vs Not Found
400 and 404 can look similar in logs, but they tell clients, crawlers, and API consumers different things.
| Aspect | HTTP 400 โ Bad Request | HTTP 404 โ Not Found |
|---|---|---|
| Definition | The server received a request it cannot parse or understand. This is a client-side error โ the request itself is malformed. | The server found no resource matching the requested URL. It does not indicate whether the resource ever existed or whether it might exist in the future. |
| Plain-language summary | The server cannot parse or process the request because it is malformed. The error is always on the client side โ the request itself is structurally invalid. Common causes include invalid JSON, missing required headers, malformed URL encoding, or a content type mismatch. | The server cannot find any resource at the requested URL. The URL may have never existed, the resource may have been deleted, or the URL may be typed incorrectly. The server makes no guarantee about whether the resource might exist in the future. |
| When to use | Return 400 when the request is syntactically invalid or unparseable. Use 422 when the request is syntactically valid but semantically invalid (valid JSON that violates business rules). Use 401 for missing/invalid authentication, 403 for insufficient permissions, 404 for unknown resources. | Return 404 when no resource exists at the requested URL. Use 410 Gone when the resource existed and has been intentionally, permanently removed (helps crawlers delist faster). Use 403 when the resource exists but access is denied. Avoid soft 404s (returning 200 with "page not found" content) โ search engines treat them as indexed pages. |
| Client behavior | Do not retry automatically โ the same malformed request will receive the same 400. Fix the request format and retry. API clients should surface the error to the developer with the response body details. | No automatic retry. Browser displays the 404 error page. Crawlers record the URL as not found and typically delist it after repeated 404 responses. API clients should surface the error and not retry. |
| Caching behavior | Not cached. Error responses are generally not stored. | May be cached if the server includes a Cache-Control header, but this is rarely appropriate. Most servers do not cache 404s. CDNs may cache 404s if Cache-Control: max-age is present โ be careful with CDN 404 caching for dynamic routes. |
| SEO / crawler impact | Search crawlers interpret 400 (client-errors) for indexation and link equity accordingly. | Search crawlers interpret 404 (client-errors) for indexation and link equity accordingly. |
| API / backend impact | API clients branching on 400 expect Bad Request semantics. | API clients branching on 404 expect Not Found semantics. |
| Safe to retry? | Only after fixing the underlying cause | Only after fixing the underlying cause |
Common real-world scenarios
When you see HTTP 400
In API logs, 400s indicate client-side integration bugs. Sudden spikes in 400s often correlate with: a bad client deployment sending malformed payloads, a frontend change that broke the request format, or an API schema change that old clients have not adopted. Monitor 400 rates per endpoint to detect client bugs early.
When you see HTTP 404
A baseline of 404s is normal (bad links from external sites, typos, old URLs). Alert on: sudden spikes in 404s (deployment broke routes), 404s on URLs that were recently 200 (routing regression), and systematic 404s on specific URL patterns (broken redirect or routing rule).
Decision rule
Use 400 when the response should communicate bad request behavior; use 404 when not found is the accurate protocol signal.
A frequent mistake is swapping 400 and 404 for convenience; that causes client retry bugs, incorrect cache signals, and misleading monitoring data.
Use 400 when the correct protocol signal is Bad Request. Use 404 when the correct signal is Not Found. Returning either code for the wrong reason breaks client expectations, cache behavior, and monitoring accuracy.
FAQ
What is the biggest difference between 400 and 404?
400 communicates Bad Request, while 404 communicates Not Found. Choosing the right one keeps clients and intermediaries predictable.
Do 400 and 404 have SEO or caching impact?
Yes. Search engines and caches interpret status classes differently. Use each code according to its semantics to avoid accidental indexing, stale responses, or crawl inefficiency.
Can APIs safely return 400 instead of 404?
Only when it matches contract semantics. API clients often branch logic by exact code, so swapping them can break retries, auth handling, or user-facing errors.
Full guides
HTTP 400 Bad Request โ full guide ยท HTTP 404 Not Found โ full guide ยท HTTP 404 status reference ยท All comparisons ยท HTTP 400 status reference