{ "slug": "http_status_codes", "term": "HTTP Status Codes", "category": "networking", "difficulty": "beginner", "short": "Three-digit codes in HTTP responses that indicate whether a request succeeded, failed, or requires further action.", "long": "HTTP status codes are grouped into five classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error). Using correct codes is essential for caching, retry logic, API clients, and debugging. A 200 OK with an error body, or a 500 for a validation failure, breaks every layer that depends on HTTP semantics.", "aliases": [ "HTTP response codes", "status codes" ], "tags": [ "http", "api", "rest", "networking" ], "misconception": "A 200 OK means everything is fine — many APIs return 200 with an error payload, breaking client error handling.", "why_it_matters": "Correct status codes drive browser behaviour (caching, redirects), API client retry logic, and monitoring alerts — using 200 for errors silently breaks all of these.", "common_mistakes": [ "Returning 200 OK with an error body — clients cannot detect the failure without parsing every response.", "Using 500 for validation errors — 422 Unprocessable Entity or 400 Bad Request is correct for client-supplied bad data.", "Returning 404 for authorisation failures — use 403 Forbidden; 404 leaks that the resource exists.", "Not returning 429 Too Many Requests with a Retry-After header for rate-limited responses." ], "when_to_use": [], "avoid_when": [], "related": [ "rest", "api_design", "http_caching", "rate_limiting" ], "prerequisites": [ "rest_constraints", "api_error_handling", "http_request_response_cycle" ], "refs": [ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Status", "https://www.rfc-editor.org/rfc/rfc9110" ], "bad_code": "// 200 OK with error — breaks client error detection:\nreturn response()->json(['error' => 'User not found'], 200); // Wrong\n\n// Correct status codes:\nreturn response()->json(['message' => 'Not found'], 404);\nreturn response()->json(['errors' => $validation], 422);\nreturn response()->json(['message' => 'Forbidden'], 403);", "good_code": "// Semantic status codes:\nreturn response()->json($user, 200); // GET success\nreturn response()->json($created, 201); // POST created\nreturn response()->json(null, 204); // DELETE success\nreturn response()->json($errors, 422); // Validation failed\nreturn response()->json(['message' => 'Not found'], 404);", "quick_fix": "Use 200 OK, 201 Created, 204 No Content, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 422 Unprocessable Entity, 429 Too Many Requests, 500 Internal Server Error — these cover 95% of cases", "severity": "medium", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/http_status_codes", "html_url": "https://codeclaritylab.com/glossary/http_status_codes", "json_url": "https://codeclaritylab.com/glossary/http_status_codes.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[HTTP Status Codes](https://codeclaritylab.com/glossary/http_status_codes) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/http_status_codes" } } } }