HTTP Status Codes Explained in Detail
Understand HTTP status code families — 2xx, 3xx, 4xx, 5xx — plus 401 vs 403 and retry rules, with networking interview Q&A.
Expected Interview Answer
HTTP status codes are three-digit responses that classify the outcome of a request into five families — 1xx informational, 2xx success, 3xx redirection, 4xx client error, and 5xx server error — letting clients programmatically decide how to react without parsing prose.
A well-formed API leans on these families precisely: 200 OK for a general success, 201 Created after a successful POST that made a new resource (with a Location header pointing to it), 204 No Content for a successful action with no body to return. In the 3xx family, 301 signals a permanent move a client should update its bookmark for, while 302/307 signal a temporary redirect; 304 Not Modified lets a cached response be reused after a conditional GET. In the 4xx family, 400 means the request itself is malformed, 401 means the client is not authenticated at all, 403 means it is authenticated but not authorized, 404 means the resource does not exist, and 409 signals a conflict such as a version mismatch. The 5xx family (500, 502, 503) signals the failure is server-side, which is important because clients can safely retry 5xx and 429 (with backoff) but generally should not blindly retry most 4xx errors, since retrying an unchanged malformed request will just fail again.
- Lets clients branch on outcome programmatically instead of parsing text
- Distinguishes retryable server-side failures from non-retryable client mistakes
- 3xx codes drive correct caching and bookmark-update behavior
- Precise 4xx codes (401 vs 403 vs 404 vs 409) speed up debugging
AI Mentor Explanation
A 200 is like the umpire signaling a clean boundary — everything went exactly as requested. A 404 is like appealing for a wicket against a batter who is not even on the field — the specific thing you are asking about does not exist. A 403 is like a substitute fielder being told they cannot bowl because only registered players may — identity is fine, permission is not — while a 500 is like the stumps collapsing on their own before the ball even arrives, a fault entirely on the ground's side, not the player's.
Step-by-Step Explanation
Step 1
Classify by family
Look at the first digit: 1xx informational, 2xx success, 3xx redirection, 4xx client error, 5xx server error.
Step 2
Pick the precise success code
Use 200 for a general success, 201 for a created resource, 204 for success with no body.
Step 3
Disambiguate 4xx errors
Use 400 for a malformed request, 401 for missing authentication, 403 for denied authorization, 404 for a missing resource, 409 for a conflict.
Step 4
Decide retry behavior
Retry 5xx and 429 responses with backoff; do not blindly retry most 4xx responses since the request itself is the problem.
What Interviewer Expects
- Correctly names all five status code families by first digit
- Distinguishes 401 (unauthenticated) from 403 (unauthorized)
- Knows when to use 200 vs 201 vs 204 for success cases
- Explains why 5xx is retryable but most 4xx is not
Common Mistakes
- Confusing 401 and 403
- Returning 200 for an error condition with an error message in the body
- Treating all 3xx codes as identical instead of permanent vs temporary redirects
- Blindly retrying 4xx errors the same way as 5xx errors
Best Answer (HR Friendly)
“HTTP status codes are the three-digit numbers a server sends back with every response to say what happened — codes starting with 2 mean success, 4 means the client made a mistake like asking for something that does not exist, and 5 means the server itself broke. Knowing the difference matters because it tells you and your systems whether it is safe to just try the request again or whether something needs to be fixed first.”
Code Example
# Show only the status line and headers
curl -sI https://api.example.com/users/42
# Print just the numeric status code
curl -s -o /dev/null -w "%{http_code}\n" https://api.example.com/users/42
# Simulate a conditional GET that can return 304 Not Modified
curl -sI -H 'If-None-Match: "abc123"' https://api.example.com/users/42Follow-up Questions
- What is the difference between a 301 and a 302 redirect for SEO and caching?
- When should an API return 409 Conflict instead of 400 Bad Request?
- How should a client handle a 429 Too Many Requests response?
- Why might an API intentionally return 200 with an error payload instead of a 4xx/5xx code, and why is that discouraged?
MCQ Practice
1. Which status code indicates the client is authenticated but not authorized for the resource?
403 Forbidden means the identity is known but does not have permission; 401 means not authenticated at all.
2. Which status code is most appropriate after a successful POST that created a new resource?
201 Created signals a new resource was made, typically alongside a Location header pointing to it.
3. Which family of status codes generally indicates a server-side failure safe to retry?
5xx codes indicate the server failed to fulfil a valid request, and retries (with backoff) are usually reasonable.
Flash Cards
401 vs 403? — 401 means not authenticated; 403 means authenticated but not authorized.
200 vs 201 vs 204? — 200 general success; 201 resource created; 204 success with no response body.
What does 5xx signal? — A server-side failure — often safe to retry with backoff, unlike most 4xx errors.
What does 304 mean? — Not Modified — the cached response is still valid, returned for a conditional GET.