3 digit HTTP status codes - what are they, which are most common, which should be a concern?
Archive - Originally posted on "The Horse's Mouth" - 2011-09-11 10:20:49 - Graham EllisWe often talk during web related course / course modules about the status codes that are returned by servers - but I don't think I've ever written up a (near?) complete list. They are all three digit codes, and they're grouped by hundreds - so 200 series code are success, 400 codes are requests that can't be met, etc. Here's the list:
Informational - 100 series
Continue - 100
Switch Protocol - 101
Success - 200 series
OK - 200
Created - 201
Accepted - 202
NonAuthoritative Information - 203
No Content - 204
Reset Content - 205
Partial Content - 206
Redirection - 300 series
Multiple Choice - 300
Moved Permanently - 301
Found - 302
See Other - 303
Not Modified - 304
Use Proxy - 305
Temporary Redirect - 307
Client Error - 400 series
Bad Request - 400
Unauthorized - 401
Payment Required - 402
Forbidden - 403
Not Found - 404
Method Not Allowed - 405
Not Acceptable - 406
Proxy Authentication Required - 407
Request TimeOut - 408
Conflict - 409
Gone - 410
Length Required - 411
Precondition Failed - 412
Request Entity Too Large - 413
Request URI Too Long - 414
Unsupported Media Type - 415
Requested Range Not Satisfiable - 416
Expectation Failed - 417
Server Error - 500 series
Internal Server Error - 500
Not Implemented - 501
Bad Gateway - 502
Service Unavailable - 503
Gateway TimeOut - 504
Version Not Supported - 505
other extension / non standard / no longer used codes listed at the end of this article
So - which are the important codes? As a web site provider, you want to take a very careful look at the 500 series codes as they indicate something potentially wrong with your web server. Anything more that 0.5% in the 400 series would worry me too, as that indcates that you may have users being (mis)lead into asking for pages that don't exist, or knocking on locked doors.
How can we analyse the relative number of access codes? I've written a ruby program (source code [here]) to look through server log files - defaulting to 100 days of data, and here are my results starting 1st June 2011:
wizard:sep11 graham$ ./ruby_100
200 - 96.04% 10750468
206 - 0.06% 7033
226 - 0.00% 8
250 - 0.01% 1015
301 - 0.12% 13330
302 - 0.07% 7554
304 - 1.70% 190774
400 - 0.01% 965
403 - 0.60% 67093
404 - 1.38% 154432
405 - 0.00% 17
408 - 0.01% 759
416 - 0.00% 8
500 - 0.01% 642
111941 accesses per day
4664.2 accesses per hour
77.74 accesses per minute
wizard:sep11 graham$ Studious readers will note that we have very many code 403 and 404 codes than I said were acceptable just up above. This is because our web server is actually programmed to return these codes to certain intrusion attempts in the (perhaps vain) hope that those intrusion attempts will think there's nothing there and give up. Easy enough to do, but it does mean that my figures here need a little more careful reading than you might have expected.
Status codes covered in the web sections of many courses. They're particularly mentioned and used on the Deploying LAMP, Deploying Apache / Tomcat and PHP courses. A little ironically, the sample program that I've used here comes as a follow up from last week's Ruby course.
The following extra codes may be seen very occasioanlly. Most of them are module / vendor specific extensions, and / or no longer used. Code 418 was an April Fool's joke ... RFC 2324, the Hyper Text Coffee Pot Control Protocol - [see here].
Processing - 102
Checkpoint - 103
Request URI too long - 122
Multi-Status - 207
IM Used - 226
Switch Proxy - 306
Resume Incomplete - 308
I'm a Teapot - 418
Unprocessable Entity - 422
Locked - 423
Faild dependency - 424
Unordered Collection - 425
Upgrade Required - 426
No Response - 444
Retry With - 449
Blocked by Windows Parental Control - 450
Client Closed Request - 499
Varient also negotiates - 506
Insufficient storage - 507
Bandwidth limit exceeded - 509
Not extended - 510