Back to Cheat Sheets

HTTP Methods & Status Codes Cheat Sheet

New

HTTP methods, status code categories, common codes, and REST conventions

HTTP Methods

GET

Retrieve a resource. Safe and idempotent. No request body.

GET /api/users/123 GET /api/posts?page=2&limit=10

POST

Create a new resource or trigger an action. Not idempotent.

POST /api/users Content-Type: application/json { "name": "Alice", "email": "alice@example.com" }

PUT

Replace a resource entirely. Idempotent.

PUT /api/users/123 { "name": "Alice", "email": "new@example.com" }

PATCH

Partially update a resource. Not always idempotent.

PATCH /api/users/123 { "email": "newemail@example.com" }

DELETE

Remove a resource. Idempotent.

DELETE /api/users/123

HEAD & OPTIONS

HEAD returns headers only. OPTIONS lists allowed methods (CORS preflight).

HEAD /api/users/123 # get headers, no body OPTIONS /api/users # allowed methods

2xx Success

200 OK

Request succeeded. Standard response for GET, PUT, PATCH.

HTTP/1.1 200 OK { "id": 1, "name": "Alice" }

201 Created

Resource was created successfully. Include Location header.

HTTP/1.1 201 Created Location: /api/users/42 { "id": 42, "name": "Alice" }

204 No Content

Request succeeded but no response body. Use for DELETE.

HTTP/1.1 204 No Content # No body

3xx Redirection

301 Moved Permanently

Resource has permanently moved. Browsers cache this.

HTTP/1.1 301 Moved Permanently Location: https://new-domain.com/page

302 Found

Temporary redirect. Client should use original URL next time.

HTTP/1.1 302 Found Location: /login

304 Not Modified

Cached version is still valid. No body returned.

HTTP/1.1 304 Not Modified # Client should use its cached version

307 & 308

307 = temporary redirect, preserves method. 308 = permanent, preserves method.

307 Temporary Redirect → preserves POST method 308 Permanent Redirect → preserves POST method

4xx Client Errors

400 Bad Request

Malformed request syntax or invalid parameters.

HTTP/1.1 400 Bad Request { "error": "Invalid email format" }

401 Unauthorized

Authentication required or credentials invalid.

HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer { "error": "Authentication required" }

403 Forbidden

Authenticated but not authorized for this resource.

HTTP/1.1 403 Forbidden { "error": "Insufficient permissions" }

404 Not Found

Resource does not exist at this URL.

HTTP/1.1 404 Not Found { "error": "User 999 not found" }

409 Conflict

Request conflicts with current state (e.g. duplicate email).

HTTP/1.1 409 Conflict { "error": "Email already registered" }

422 Unprocessable Entity

Syntactically valid but semantically incorrect. Use for validation errors.

HTTP/1.1 422 Unprocessable Entity { "errors": [{ "field": "age", "message": "Must be positive" }] }

429 Too Many Requests

Rate limit exceeded.

HTTP/1.1 429 Too Many Requests Retry-After: 60 { "error": "Rate limit exceeded" }

5xx Server Errors

500 Internal Server Error

Unexpected server error. Generic catch-all.

HTTP/1.1 500 Internal Server Error { "error": "Something went wrong" }

502 Bad Gateway

Upstream server returned invalid response.

HTTP/1.1 502 Bad Gateway # Often seen when a reverse proxy fails to reach app server

503 Service Unavailable

Server temporarily unavailable (overloaded or maintenance).

HTTP/1.1 503 Service Unavailable Retry-After: 300

504 Gateway Timeout

Upstream server timed out.

HTTP/1.1 504 Gateway Timeout # Reverse proxy did not receive a timely response

Common Patterns

REST API Response Conventions

Standard status codes mapped to REST CRUD operations

GET    /resources         → 200 OK (list)
GET    /resources/:id     → 200 OK or 404 Not Found
POST   /resources         → 201 Created + Location header
PUT    /resources/:id     → 200 OK (return updated) or 204 No Content
PATCH  /resources/:id     → 200 OK (return updated) or 204 No Content
DELETE /resources/:id     → 204 No Content or 404 Not Found

# Authentication errors
No token provided    → 401 Unauthorized
Token invalid/expired → 401 Unauthorized
Valid token, no access → 403 Forbidden

Error Response Body Structure

Consistent error response format across your API

// Standard error shape
{
  "error": {
    "code": "VALIDATION_FAILED",
    "message": "Request validation failed",
    "details": [
      { "field": "email", "message": "Invalid email format" },
      { "field": "age",   "message": "Must be a positive integer" }
    ]
  }
}

// Simple error shape
{
  "error": "Resource not found",
  "statusCode": 404
}

Redirect Decision Tree

Which redirect code to use and when

Resource moved permanently?
  → Preserves GET method?     → 301 Moved Permanently
  → Preserves any method?     → 308 Permanent Redirect

Resource moved temporarily?
  → Preserves GET method?     → 302 Found
  → Preserves any method?     → 307 Temporary Redirect

After POST → redirect to result?
  → 303 See Other (redirect with GET)

Cached content still valid?
  → 304 Not Modified

Tips & Best Practices

Return 201 Created (not 200) when a new resource is created, and include the Location header

Use 204 No Content for successful DELETE or PATCH requests with no response body

Distinguish 401 (not authenticated) from 403 (authenticated but not authorized)

Use 422 for validation errors instead of 400 — it better communicates the problem

Always return a consistent error response shape so API consumers can handle errors uniformly

Additional Resources

MDN HTTP Status Codes

Complete MDN reference for all HTTP status codes

HTTP Statuses

Quick reference for all HTTP status codes

Related Cheat Sheets

REST API Design

REST principles, URL design, and best practices

Async JavaScript

Fetch, promises, async/await

JSON Syntax

JSON data types and syntax reference