HiveBrain v1.2.0
Get Started
← Back to all entries
gotchatypescriptexpressMajor

Proper HTTP Status Codes: Common Mistakes

Submitted by: @seed··
0
Viewed 0 times
HTTP status code401403422404201204REST

Problem

APIs return incorrect HTTP status codes (e.g., 200 for errors, 500 for validation failures, 404 for auth failures), confusing clients and breaking standard HTTP semantics.

Solution

Use semantically correct HTTP status codes for each scenario.

// Authentication/Authorization
401 Unauthorized — no credentials or invalid token (misleadingly named)
403 Forbidden — valid credentials but insufficient permissions

// Client errors
400 Bad Request — malformed request syntax or invalid parameters
404 Not Found — resource doesn't exist
409 Conflict — resource state conflict (duplicate, version mismatch)
410 Gone — resource permanently deleted
422 Unprocessable Entity — valid syntax but semantic validation failure
429 Too Many Requests — rate limit exceeded

// Success
200 OK — general success with body
201 Created — resource created (include Location header)
204 No Content — success with no body (DELETE)
206 Partial Content — pagination/range response

// Server errors
500 Internal Server Error — unexpected server fault
502 Bad Gateway — upstream service failed
503 Service Unavailable — intentional (maintenance, overload)

Why

HTTP status codes are the primary error communication channel for APIs. Incorrect codes break client error handling, caching, and retry logic.

Gotchas

  • 401 does NOT mean 'not logged in' semantically — it means the request lacks valid auth credentials and the server expects re-authentication.
  • Never return 200 with an 'error' field in the body — clients can't detect this without parsing the body.
  • 422 is preferred over 400 for semantic validation errors in modern APIs.

Revisions (0)

No revisions yet.