400 vs 431: Bad Request vs Request Header Fields Too Large
400 and 431 can look similar in logs, but they tell clients, crawlers, and API consumers different things.
| Aspect | HTTP 400 โ Bad Request | HTTP 431 โ Request Header Fields Too Large |
|---|---|---|
| Definition | The server received a request it cannot parse or understand. This is a client-side error โ the request itself is malformed. | Request Header Fields Too Large describes how the server processed the request and what the client should do next. |
| Plain-language summary | The server cannot parse or process the request because it is malformed. The error is always on the client side โ the request itself is structurally invalid. Common causes include invalid JSON, missing required headers, malformed URL encoding, or a content type mismatch. | The server refuses the request because the request headers (either individually or cumulatively) are too large. Common causes include cookie bloat, very long Authorization tokens, or large custom headers. |
| When to use | Return 400 when the request is syntactically invalid or unparseable. Use 422 when the request is syntactically valid but semantically invalid (valid JSON that violates business rules). Use 401 for missing/invalid authentication, 403 for insufficient permissions, 404 for unknown resources. | Servers return this automatically when headers exceed configured limits. As an API designer, document header size limits. As an application developer, monitor cookie size and Authorization header lengths. |
| Client behavior | Do not retry automatically โ the same malformed request will receive the same 400. Fix the request format and retry. API clients should surface the error to the developer with the response body details. | Reduce header size: clear old cookies, shorten tokens if possible, remove unnecessary custom headers, and retry. |
| Caching behavior | Not cached. Error responses are generally not stored. | Not cached. |
| SEO / crawler impact | Search crawlers interpret 400 (client-errors) for indexation and link equity accordingly. | Search crawlers interpret 431 (client-errors) for indexation and link equity accordingly. |
| API / backend impact | API clients branching on 400 expect Bad Request semantics. | API clients branching on 431 expect Request Header Fields Too Large semantics. |
| Safe to retry? | Only after fixing the underlying cause | Only after fixing the underlying cause |
Common real-world scenarios
When you see HTTP 400
In API logs, 400s indicate client-side integration bugs. Sudden spikes in 400s often correlate with: a bad client deployment sending malformed payloads, a frontend change that broke the request format, or an API schema change that old clients have not adopted. Monitor 400 rates per endpoint to detect client bugs early.
When you see HTTP 431
Most commonly caused by: cookie accumulation over time (many Set-Cookie calls with short expiry creating a large Cookie header), very long JWT tokens containing large payloads, or header injection bugs that append values repeatedly.
Decision rule
Use 400 when the response should communicate bad request behavior; use 431 when request header fields too large is the accurate protocol signal.
A frequent mistake is swapping 400 and 431 for convenience; that causes client retry bugs, incorrect cache signals, and misleading monitoring data.
Use 400 when the correct protocol signal is Bad Request. Use 431 when the correct signal is Request Header Fields Too Large. Returning either code for the wrong reason breaks client expectations, cache behavior, and monitoring accuracy.
FAQ
What is the biggest difference between 400 and 431?
400 communicates Bad Request, while 431 communicates Request Header Fields Too Large. Choosing the right one keeps clients and intermediaries predictable.
Do 400 and 431 have SEO or caching impact?
Yes. Search engines and caches interpret status classes differently. Use each code according to its semantics to avoid accidental indexing, stale responses, or crawl inefficiency.
Can APIs safely return 400 instead of 431?
Only when it matches contract semantics. API clients often branch logic by exact code, so swapping them can break retries, auth handling, or user-facing errors.
Full guides
HTTP 400 Bad Request โ full guide ยท HTTP 431 Request Header Fields Too Large โ full guide ยท HTTP 431 status reference ยท All comparisons ยท HTTP 400 status reference