4xx Status Codes

4xx Client Errors

400 Bad Request

The server cannot process the request due to a client error, such as malformed syntax or invalid framing.

401 Unauthorized

Authentication is required and has failed or has not been provided. The response includes a challenge for authentication.

402 Payment Required

Reserved for future use, originally intended for digital cash schemes. It’s rarely used but may indicate issues like exceeded API limits or insufficient account funds.

403 Forbidden

The server understands the request, but refuses to take action due to lack of permissions or authentication failure.

404 Not Found

The requested resource could not be found, but it may become available in the future.

405 Method Not Allowed

The request method is not supported for the requested resource, such as using GET on a POST-only endpoint.

406 Not Acceptable

The resource can only generate content not acceptable based on the client’s request headers.

407 Proxy Authentication Required

The client must authenticate with the proxy before accessing the resource.

408 Request Timeout

The server timed out waiting for the request. The client may repeat the request later.

409 Conflict

The request could not be processed due to a conflict in the resource’s current state.

410 Gone

The resource is no longer available and will not be available again. The client should not request it in the future.

411 Length Required

The request did not specify the required content length.

412 Precondition Failed

The server does not meet one of the preconditions specified in the request headers.

413 Payload Too Large

The request is larger than the server can process.

414 URI Too Long

The provided URI is too long for the server to process, often due to excessive query parameters.

415 Unsupported Media Type

The request entity has a media type that the server does not support.

416 Range Not Satisfiable

The client requested a portion of the file that cannot be supplied by the server.

417 Expectation Failed

The server cannot meet the requirements of the Expect request-header field.

418 I’m a teapot

Defined as a joke in an April Fools’ RFC, this status code indicates a teapot cannot brew coffee.

421 Misdirected Request

The request was directed at a server that cannot produce a response, often due to connection reuse.

422 Unprocessable Content

The request is well-formed but cannot be processed.

423 Locked (WebDAV)

The resource being accessed is locked and cannot be modified.

424 Failed Dependency (WebDAV)

The request failed because it depended on another request that failed.

425 Too Early

The server is unwilling to process a request that might be replayed.

426 Upgrade Required

The client should switch to a different protocol, as indicated in the Upgrade header.

428 Precondition Required

The server requires the request to be conditional to avoid lost updates.

429 Too Many Requests

The user has sent too many requests in a short period, triggering rate limiting.

431 Request Header Fields Too Large

The server will not process the request due to excessively large header fields.

451 Unavailable For Legal Reasons

Access to the resource is denied due to legal demands against it.

---

Unofficial codes

419 Page Expired (Laravel Framework)

Used by Laravel when a CSRF token is missing or has expired.

420 Method Failure (Spring Framework)

A deprecated response indicating that a method has failed, used by the Spring Framework.

420 Enhance Your Calm (Twitter)

Returned by the original Twitter API when the client is rate limited. Later versions use the 429 status code.

430 Request Header Fields Too Large (Shopify)

A deprecated response used by Shopify to indicate too many URLs requested in a short time.

430 Shopify Security Rejection (Shopify)

Indicates that a request was deemed malicious by Shopify.

450 Blocked by Windows Parental Controls (Microsoft)

Indicates that access to the requested webpage is blocked due to Windows Parental Controls.

498 Invalid Token (Esri)

Returned by ArcGIS for Server to indicate that a token is expired or invalid.

499 Token Required (Esri)

Returned by ArcGIS for Server to indicate that a required token was not submitted.

---

Internet Information Services (IIS)

Microsoft’s IIS web server extends the 4xx error space to handle additional errors related to the client’s request.

440 Login Time-out

The client’s session has expired and requires re-login.

449 Retry With

The request cannot be honored because the required information was not provided by the user.

451 Redirect

Used in Exchange ActiveSync when a more efficient server is available or the current server cannot access the user’s mailbox. The client should re-run the AutoDiscover operation to find a more suitable server.

---

nginx

444 No Response

Instructs the server to return no information and close the connection immediately.

494 Request Header Too Large

The client sent a request or header line that is too large for the server to process.

495 SSL Certificate Error

An extension of the 400 Bad Request response, used when the client provided an invalid SSL certificate.

496 SSL Certificate Required

An extension of the 400 Bad Request response, used when a client certificate is required but not provided.

497 HTTP Request Sent to HTTPS Port

An extension of the 400 Bad Request response, used when an HTTP request is made to a port that expects HTTPS requests.

499 Client Closed Request

Indicates that the client closed the request before the server could respond.

---

AWS Elastic Load Balancing (ELB)

460 Client Closed Request

The client closed the connection with the load balancer before the idle timeout period elapsed, usually because the client timeout is shorter than the Elastic Load Balancer’s timeout.

463 Too Many IP Addresses

The load balancer received an X-Forwarded-For request header containing more than 30 IP addresses.

464 Incompatible Protocol Version

Indicates that there are incompatible protocol versions between the client and the origin server.