Home / Status Codes
Each HTTP response message must contain a status code in its first line, indicating the result of the request. The status codes fall into five groups, according to the code’s first digit:
| Code | Description |
|---|---|
| 1xx — (Informational) | The request has been received and the process is continuing.. |
| 2xx — (Success) | The request was successful. |
| 3xx — (Redirection) | The client is redirected to a different resource. |
| 4xx — (Client Error) | The request contains incorrect syntax or error of some kind. |
| 5xx — (Server Error) | The server encountered an error fulfilling the request. |
There are numerous specific status codes, many of which are used only in specialized circumstances. Here are the status codes you are most likely to encounter when attacking a web application, along with the usual reason phrase associated with them:
This code is sent in some circumstances when a client submits a request containing a body. The response indicates that the request headers were received and that the client should continue sending the body. The server returns a second response when the request has been completed.
This code is sent in response to an Upgrade request header from the client, and indicates the protocol the server is switching to.
This code indicates that the server has received and is processing the request, but no response is available yet.
This status code is primarily intended to be used with the Link header, letting the user agent start preloading resources while the server prepares a response.
This code indicates that the request was successful and that the response body contains the result of the request.
- GET: The resource has been fetched and is transmitted in the message body.
- HEAD: The entity headers are in the message body.
- PUT or POST: The resource describing the result of the action is transmitted in the message body.
- TRACE: The message body contains the request message as received by the server
The request has succeeded and a new resource has been created as a result. This is typically the response sent after POST requests, or some PUT requests.
The request has been received but not yet acted upon. It is noncommittal, since there is no way in HTTP to later send an asynchronous response indicating the outcome of the request. It is intended for cases where another process or server handles the request, or for batch processing.
This response code means the returned meta-information is not exactly the same as is available from the origin server, but is collected from a local or a third-party copy. This is mostly used for mirrors or backups of another resource. Except for that specific case, the 200 OK response is preferred to this status.
There is no content to send for this request, but the headers may be useful. The user-agent may update its cached headers for this resource with the new ones.
Tells the user-agent to reset the document which sent this request.
This response code is used when the Range header is sent from the client to request only part of a resource.
Conveys information about multiple resources, for situations where multiple status codes might be appropriate.
Used inside a <dav:propstat> response element to avoid repeatedly enumerating the internal members of multiple bindings to the same collection.
The server has fulfilled a GET request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance.
The request has more than one possible response. The user-agent or user should choose one of them.
Redirects the browser permanently to a different URL, which is specified in the Location header. The client should use the new URL in the future rather than the original.
Redirects the browser temporarily to a different URL, which is specified in the Location header. The client should revert to the original URL in subsequent requests.
The server sent this response to direct the client to get the requested resource at another URI with a GET request.
Instructs the browser to use its cached copy of the requested resource. The server uses the If-Modified-Since and If-None-Match request headers to determine whether the client has the latest version of the resource.
This code indicates that the client submitted an invalid HTTP request. You will probably encounter this when you have modified a request in certain invalid ways, such as by placing a space character into the URL.
This code indicates that the server requires HTTP authentication before the request will be granted. The WWW-Authenticate header contains details on the type(s) of authentication supported.
This code indicates that no one is allowed to access the requested resource, regardless of authentication.
This code indicates that the requested resource does not exist.
This code indicates that the method used in the request is not supported for the specified URL.
For example,
you may receive this status code if you attempt to use the PUT method where it is not supported.
This response is sent when the web server, after performing server-driven content negotiation, doesn't find any content that conforms to the criteria given by the user agent.
This is similar to 401 but authentication is needed to be done by a proxy.
This response is sent on an idle connection by some servers, even without any previous request by the client. It means that the server would like to shut down this unused connection.
This response is sent when a request conflicts with the current state of the server.
This response is sent when the requested content has been permanently deleted from server, with no forwarding address.
Server rejected the request because the Content-Length header field is not defined and the server requires it.
The client has indicated preconditions in its headers which the server does not meet.
If you are probing for buffer overflow vulnerabilities in native code, and therefore are submitting long strings of data, this indicates that the body of your request is too large for the server to handle.
This is similar to the 413 response. It indicates that the URL used in the request is too large for the server to handle.
The media format of the requested data is not supported by the server, so the server is rejecting the request.
The user has sent too many requests in a given amount of time ("rate limiting").
This code indicates that the server encountered an error fulfilling the request. This normally occurs when you have submitted unexpected input that caused an unhandled error somewhere within the application’s processing. You should closely review the full contents of the server’s response for any details indicating the nature of the error.
The request method is not supported by the server and cannot be handled. The only methods that servers are required to support (and therefore that must not return this code) are GET and HEAD.
This error response means that the server, while working as a gateway to get a response needed to handle the request, got an invalid response.
Normally indicates that, although the web server itself is functioning and can respond to requests, the application accessed via the server is not responding. You should verify whether this is the result of any action you have performed.
This error response is given when the server is acting as a gateway and cannot get a response in time.
The HTTP version used in the request is not supported by the server.