Reading HTTP status codes: a non-developer's guide
The five-class shortcut for HTTP status codes (1xx-5xx), the seven specific codes worth knowing, and how to triage what each one means in practice.
HTTP status codes are tiny three-digit verdicts the server returns about your request. Most of the time you can ignore them. When something is broken, knowing what each digit-class means is the difference between "the site is broken" and "ah, my session expired."
The digit-class shortcut
The first digit tells you everything you need to know to triage. Memorise these five:
- 1xx — Informational. You'll basically never see one. Carry on.
- 2xx — Success. The request worked.
200is the boring happy path. - 3xx — Redirection. The server is sending you somewhere else. Browsers follow these silently.
- 4xx — You did something wrong. Bad URL, missing auth, expired session, asking for something that isn't there.
- 5xx — They did something wrong. The request reached the server, but the server failed.
That's the whole framework. 4xx is on you, 5xx is on them. Everything else is detail.
Browsers show the URL you're at, but not the status code that got you there. Open DevTools → Network to see the actual codes a page returned. The redirect chain matters as much as the final status — see Reading an HTTP redirect chain.
The codes that actually matter
404 Not Found
The most famous one. The URL you asked for doesn't map to anything on the server. Either you typo'd the path, the page was removed, or you're looking at a cached link from somewhere stale. A 404 from the homepage of a major site is genuinely unusual; almost always it's a sub-path issue.
403 Forbidden
The server understood the request but refuses. Often this means: the resource exists, but you're not allowed. Sometimes it means: the server's WAF (Cloudflare, Akamai, etc.) thinks you're a bot. Browsers + a VPN exit + an unusual user agent is a classic trigger.
429 Too Many Requests
You're being rate-limited. Wait the time the server tells you (in the Retry-After header) and try again. Hot-looping on 429s gets you blocked harder.
500 Internal Server Error
The server crashed handling your request. There's nothing you can do as a user except retry. Repeated 500s on a site usually correlate with an active deployment or a downstream service the site depends on going sideways.
502 Bad Gateway / 504 Gateway Timeout
The site sits behind a CDN or load-balancer (Cloudflare, Vercel, Fastly, AWS ALB) and the upstream origin is unreachable or too slow.
This is almost always the site's problem, not yours. Wait it out. Frequent 502/504s from a major service usually mean an active incident on their official status page.
503 Service Unavailable
The server is up but refusing requests — typically maintenance mode or overload. Common during scheduled deploys and traffic spikes. Often paired with a Retry-After header telling you when to come back.
What about 301 and 302?
Both are redirects. The difference matters mostly for SEO and tooling: 301 is permanent, 302 is temporary. Browsers follow both. Search engines treat 301s as link-equity-transferring and 302s as not. If you're using them as a developer, get the choice right; as a user, you'll never notice.
A practical 5xx breakdown
When you see a 5xx, the second and third digits give surprisingly useful clues:
502 and 504 are CDN/proxy codes — they tell you the site's infrastructure is between you and the origin, and the origin is the problem. 503 is more interesting: it usually means the server chose to refuse you, either because it's in maintenance mode or because it's protecting itself from overload. 500 is the catch-all "something blew up."
If you're seeing a code you don't recognise
Use the full HTTP code reference for plain-English explanations of every common code, or paste the message into the Status Meaning Decoder for an instant translation. If you want to confirm what code a specific site is actually returning, run it through the Website Down Checker — the result panel shows the exact HTTP status and full redirect chain.