The 4xx class signals a problem with the client’s request. Use specific codes to help clients recover.
Table of 4xx Codes (selected)
| Code | Name | Summary |
|---|---|---|
| 400 | Bad Request | Malformed syntax or invalid parameters. |
| 401 | Unauthorized | Requires authentication (send WWW-Authenticate). |
| 403 | Forbidden | Understood but refused. |
| 404 | Not Found | Resource does not exist. |
| 405 | Method Not Allowed | Method not supported; send Allow. |
| 406 | Not Acceptable | No acceptable representation. |
| 408 | Request Timeout | Client took too long to send. |
| 409 | Conflict | State conflict; e.g., versioning. |
| 410 | Gone | Resource intentionally removed. |
| 412 | Precondition Failed | ETag/If-* precondition failed. |
| 415 | Unsupported Media Type | Content type not supported. |
| 418 | I’m a teapot | Non-standard; avoid in production. |
| 422 | Unprocessable Content | Semantically invalid data. |
| 425 | Too Early | Retry-unsafe with early data. |
| 429 | Too Many Requests | Rate limit exceeded. |
| 431 | Request Header Fields Too Large | Headers too large. |
| 451 | Unavailable For Legal Reasons | Blocked due to legal demands. |
400 Bad Request
Use for malformed JSON, invalid parameters, or schema violations. Include machine-readable error details.
401 Unauthorized
Authentication required or invalid. Include WWW-Authenticate with the challenge.
403 Forbidden
Authenticated but not permitted, or blocked for policy reasons.
404 Not Found
Don’t leak existence of protected resources. For APIs, consider a generic 404 for unknown IDs.
405 Method Not Allowed
Send Allow: GET, POST to advertise supported methods.
409 Conflict
Use on edit collisions or order-state conflicts. Pair with conflict resolution hints.
410 Gone
Resource deliberately removed; tells crawlers not to retry.
412 Precondition Failed
ETag preconditions failed. Encourage conditional updates to avoid lost writes.
415 Unsupported Media Type
Reject unexpected Content-Type or Content-Encoding.
422 Unprocessable Content
Payload syntactically valid but semantically invalid. Prefer 422 over 400 for validation failures.
425 Too Early
For TLS early data replays; servers can ask clients to retry later.
429 Too Many Requests
Rate limiting. Include Retry-After and, ideally, quota headers.
431 Request Header Fields Too Large
Happens with oversized cookies or headers.
451 Unavailable For Legal Reasons
Legal blocks (e.g., court orders). Provide contact details if policy allows.
CDN notes: Some 4xx can be cached briefly (defensive caching) to protect origins; set short TTLs and vary by relevant headers/cookies.