What HTTP Status Codes Should Programmers be Concerned With?

Question

So, if you look at the List of HTTP Status Codes, there are probably a number of them that would be useful while programming. The server might handle some things, like protocols, but a lot of these codes could be useful in telling the browser the actual status of the page.

So, my question is which of these status codes should we be concerned with? Which should we be checking to send, and which ones will most likely never be used in regular application programming.

If you are curious, this is in the scope of PHP programming, but it would probably apply to other languages just as well.

Answer 1

Well, those are status codes, not headers, but any of them might be useful (although the 5xx series are unlikely to be).

Answer 2

Quickly going through that list (of status codes), here are those I often use (I am doing PHP web-development as my job) :

• 200 OK : almost always sent by Apache
• 301 Moved Permanently : generally sent by me (or by Apache, when using rewrite-rules)
• 302 Found : generally sent by me (or by Apache, when using rewrite-rules)
• 304 Not Modified : generally sent by Apache (or a reverse proxy in front of it)
• 401 Unauthorized : generally sent by Apache
• 403 Forbidden : generally sent by Apache
• 404 Not Found : sent both by Apache and me -- depending on the situations
• 410 Gone : generally sent by me
• 500 Internal Server Error : sent both by Apache and me ; that's the one I generally use when there's a "technical" error -- even if it should never happen ^^

And here are those I could use (especially if doing REST) :

• 201 Created
• 400 Bad Request
• 402 Payment Required
• 405 Method Not Allowed
• 501 Not Implemented
• 503 Service Unavailable

Answer 3

I take it your talking about using headers for either serving files or providing a RESTful webservice?

You'd be after status codes, rather than headers then. The ones I've commonly used are:

200 OK
301 Moved Permanently
302 Found (temporary redirect)
400 Bad Request
403 Forbidden
404 Not found
500 Internal Server Error

Of course, for RESTful webservices you can change the text to be more descriptive as well as providing description in the body.

Then there's:

418 I'm a teapot

Answer 4

The ones I've used most are:

• 301 - Moved Permanently - Use this if the resource is permanently moved to the new url.
• 302 - Moved Temporarily - Use this for redirecting when you can't have a permanent redirect.
• 404 - Not Found. Your server should be configured to serve this for invalid urls. You should monitor these in your logs--too many 404s is a sign of a bad push.
• 500 - Internal Server Error. Your server should be configured to properly send these when there are errors. You should monitor 5xx errors in your logs.

Answer 5

Many of these are intrinsically useful with REST-style API usage. For example:

• 200 (OK): You asked for a resource. Here it is!

• 201 (Created): You asked me to make a new resource. I did! Here's where you can go to ask me for it next time.

• 202 (Accepted): You asked me to do something, but it's going to take a while, so don't wait up. Here's where you can go to check up on the status.

• 300 (Multiple Choices): You asked for something, but you weren't specific enough. Which one of these did you mean?

• 301 (Moved Permanently): You asked for something, but it's somewhere else now. Here's where it went.

• 302 (Found): You asked for something, but it's somewhere else for the moment. Here it is.

• 304 (Not Modified): You asked for something before this, but it hasn't changed since the last time you asked me.

• 400 (Bad Request): Something is wrong about what you asked me to do. Fix what you said and try again.

• 401 (Unauthorized): I need you to identify yourself before I can finish this request. [Note: This is one of the more unfortunately named headers. It should really be titled Unauthenticated; 403 is more like Unauthorized.]

• 403 (Forbidden): You asked for something you're not allowed to have.

• 404 (Not Found): You asked for a resource, but there isn't one that matches your description.

• 500 (Server Error): Something went wrong, so I can't give you what you asked for right now. Sorry about that.

• 501 (Not Implemented): I don't support that kind of request right now.

• 503 (Service Unavailable): I'm not able to respond to requests right now.

Answer 6

To be more precise, these are just HTTP status codes, not HTTP headers. Headers convey a lot of things and are sent by both the client and the server, and are beyond the scope of this answer.

One of the HTTP headers, namely the first one sent by the server to the client, looks like this:

HTTP/1.x 200 OK

or:

HTTP/1.x 404 Not Found

The number that appears after the protocol identifier HTTP/1.x is what's called the status code with the corresponding status message sent after it. Here are the status codes that I've had to use in my PHP programming days:

• 200 OK is by far the most common. It means that everything has worked fine and that you're responding with content.
• 404 Not Found is automatically sent by the server under certain conditions, in particular when the request leads to an executing script that cannot be found on the server. Sometimes, especially if you're writing frameworks which handle URIs in a special way, you will want to manually set a 404 status code. For example, if you have one central executing script index.php through while you route all requests using .htaccess or your Apache settings, Apache will almost never return a 404 on its own accord because, after all, it has found index.php. But clearly, there will still be some URIs that you want to communicate don't lead to anywhere, for which you'll want to send your own 404 status header.
• 301 Moved Permanently and 302 Found (more commonly referenced as 'Moved Temporarily'). These two instruct the browser to look for a Location header and to redirect the user to the URL specified there. Most PHP frameworks have their own functions for HTTP redirects, which also handle the headers. The native PHP redirect header('Location: http://www.google.com'); automatically changes the HTTP status to 302. I've never really understood in depth the difference between 302 and 301, but I've read that 301 is much better for Search Engine Optimization, so I try to always use 301. Perhaps someone else can enlighten on what the exact difference is. One thing to be careful of is to avoid putting a 301/302 status and Location header on a page that's intended to receive POST data. I've had some trouble with it in the past.
• 304 Not Modified is usually sent automatically depending on your Apache settings. Most browsers under normal conditions include the date/time on which the requested item was cached on the user's computer. ETags and other headers are used for this purpose. If Apache judges that the server's corresponding file has not changed since that time, Apache will often send a 304 with no content, which just tells the client to use the cached version.
• 401 Unauthorized is sent when a user is trying to access a restricted section on the website. There are some old HTML features and server technologies that support native username/password prompts, which sent 401 status codes when the prompts were cancelled or not authorized. Most people these days write their own PHP implementations for user authentication and rights management, so Apache doesn't often send 401s on its own accord. You can send the status manually to indicate that more rights are needed to access the page.
• 400 Bad Request is sent by Apache if it receives a request it can't understand. You usually don't have to worry about sending it manually.
• 403 Forbidden is used by some people when users are trying to access a area that they would not be able to access, even with proper authentication perhaps due to geographic, IP, or banning restrictions. I don't use it myself, and I just use 401 and 404 to fill in.
• 5xx. The 500-series are the codes you really don't to see as a developer. It means your code or server did something bad. If you have a server or a load-balancing system of sufficient calibre and you don't have errors in your code, you'll never see the 500-series.