What does HTTP status code 521 mean?

521 is a Cloudflare-specific code meaning 'Web Server Is Down' — Cloudflare could not reach the origin server at all. The code is not in RFC 9110 or MDN. Typical causes: the origin is offline, the firewall blocks the Cloudflare IP ranges, or the listening port is wrong. Fix: check the origin status, add the Cloudflare IP list to the allow-list, and review the SSL/TLS mode in the Cloudflare dashboard. For intermittent 521 the Cloudflare diagnostic page is worth a direct visit.

What is the difference between 401 and 403?

401 means: missing or invalid credentials. 403 means: credentials are valid, access is refused anyway. On 401 a fresh login with valid credentials helps; the server even returns a WWW-Authenticate header that describes the expected auth method. On 403 no login helps — the user is known and simply not authorised for this resource. Practically: 401 for API endpoints without a bearer token, 403 for API endpoints with a valid token but wrong role. More in [RFC 9110 §15.5.2](https://www.rfc-editor.org/rfc/rfc9110#name-401-unauthorized) and [§15.5.4](https://www.rfc-editor.org/rfc/rfc9110#name-403-forbidden).

When do I use 301, 302, 307, or 308 for redirects?

For permanent redirects pick 308 as the modern default, for temporary pick 307. The difference from the older 301 and 302: 307 and 308 preserve the HTTP method, while 301 and 302 historically downgrade POST to GET. Permanence drives SEO behaviour — search engines transfer ranking signals on 301 and 308. Practically: for `/blog/old-post` → `/blog/new-post` use 308. For an A/B-test router that handles POST forms, 307 is safer than 302. [RFC 9110 §15.4](https://www.rfc-editor.org/rfc/rfc9110#name-redirection-3xx) explains all four.

What does HTTP status 499 mean?

499 is an nginx-internal code defined in the nginx source, not in any RFC. Meaning: the client closed the connection before the server finished sending the response. Common cause: a mobile app where the user navigates away while a long-polling connection is open. The nginx access log shows 499; in Wireshark you see the client-side FIN/RST. If 499 noise is high, look at `proxy_ignore_client_abort` or the upstream service timeout. 499 vs 444: 444 is server-side closed, 499 is client-side.

What is the difference between 502, 503, and 504?

502 means: the gateway got an invalid response from the upstream. 503 means: the server itself is overloaded or in maintenance. 504 means: the gateway never heard back from the upstream within the timeout. On 502, inspect the origin log (crash, worker reset). 503 is often paired with a Retry-After header — 'please come back later'. 504 shows the origin response is slower than the gateway timeout (typically 60-100 s) — either speed up the response or raise the timeout. RFC 9110 [§15.6.3-§15.6.5](https://www.rfc-editor.org/rfc/rfc9110#name-server-error-5xx) has the original definitions.

Which status codes does a POST typically return?

On successful POST: 200 (generic success with response body), 201 (resource created, with Location header), 202 (queued for asynchronous processing), 204 (success with no body), or 303 (Post-Redirect-Get pattern, redirects to GET). On validation errors: 400 (broken syntax), 422 (syntax ok, business-rule violated), 409 (conflict with current resource state). On auth errors: 401 or 403. The tool above has a method cross-reference — click 'POST' and you see every relevant code.

Which RFC defines HTTP status codes in 2026?

RFC 9110 has been the current HTTP semantics specification since June 2022, replacing the older RFC 7231. RFC 9110 consolidates methods, status codes, headers, and authentication into one document. Specific codes come from additional RFCs: 308 from [RFC 7538](https://www.rfc-editor.org/rfc/rfc7538), 425 Too Early from [RFC 8470](https://www.rfc-editor.org/rfc/rfc8470), 103 Early Hints from [RFC 8297](https://www.rfc-editor.org/rfc/rfc8297), 451 Unavailable For Legal Reasons from [RFC 7725](https://www.rfc-editor.org/rfc/rfc7725). WebDAV codes (207, 422, 423, 424, 507) are in [RFC 4918](https://www.rfc-editor.org/rfc/rfc4918). The [IANA Status Code Registry](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) is the official list.

Does this tool send my search to a server?

No. The whole status code database is embedded in the browser bundle — no API, no backend, no logging. You can verify this yourself: open F12, the Network tab, type in the search, and you will see no requests beyond the initial page load. Full-text search, class filters, and snippet generation all run as pure-client JavaScript. No cookie is set, no localStorage entry remains. The 'platform codes only' toggle and the HTTP method filter also happen entirely client-side — the status code you are looking up never leaves your browser.

HTTP Status Codes — Cloudflare, nginx, Snippets

What does the HTTP status codes tool do?

The tool is a searchable reference catalogue for HTTP status codes. It covers RFC 9110 completely — every 1xx informational, 2xx success, 3xx redirection, 4xx client-error and 5xx server-error code — and adds the platform-specific codes that the IANA registry omits but that appear in your production log every day: Cloudflare 520-530, nginx 444 and 494-499, IIS 440 and 449, AWS Application Load Balancer 460/463, and CloudFront 561.

For each code the tool shows: the canonical reason phrase, a technical explanation in two to four sentences, the typical HTTP methods (POST tends to return 201, GET tends to return 200), a link to the specification (RFC, Cloudflare docs, nginx source), and a Wikipedia link for editorial context.

Which platform codes does the tool cover?

MDN documents only the IANA-registered standard. Tools that ship in your production stack regularly emit non-standard codes:

Cloudflare 520-527 and 530 — the full ‘edge could not reach the origin’ family. 521 (origin offline), 522 (connection timeout), 523 (origin DNS error), 524 (origin response > 100 s), 525 and 526 (origin SSL issues), 527 (Railgun error), 530 (wrapper for the 1xxx error series).
nginx 444 and 494-499 — internal codes from the nginx source: 444 (connection silently dropped), 494 (request header too large), 495 and 496 (client-certificate problems), 497 (HTTP request on HTTPS port), 499 (client closed the connection).
IIS 440 and 449 — Microsoft-specific codes: 440 (login timeout), 449 (Retry With).
AWS Application Load Balancer 460/463 and CloudFront 561 — cloud-provider edge codes for client timeout, oversized X-Forwarded-For chain, and Lambda@Edge auth failure.

The ‘platform codes only’ filter hides the RFC standard and shows only this world — useful when you look up a specific 5xx incident in the Cloudflare dashboard.

What are confusion cards?

Four code pairs are the most-confused in 2026 — the tool auto-shows a comparison card as soon as you select one of the codes:

401 vs 403 — authentication (no login) vs authorisation (logged in but no permission).
301 vs 302 vs 307 vs 308 — permanence × method preservation as a truth table. 308 = permanent + method preserving, the modern default.
400 vs 422 — HTTP-layer error (syntax, framing) vs business-rule error (validation, conflict). Use 422 when the JSON is syntactically fine but the email field is invalid.
502 vs 503 vs 504 — upstream broken vs origin overloaded vs upstream silent. The three gateway errors look similar but have different root-cause diagnoses.

Each cluster carries a one-to-two-sentence summary and buttons to the peer codes — click-through with no URL change.

How does the HTTP method filter work?

Every code in the database carries a list of ‘typical HTTP methods that produce this code’. The HTTP method filter narrows the list to one method: click ‘POST’ and you see only codes that make sense after a POST — 200, 201, 202, 204, 303, 307, 400, 409, 422, 429, 500. Click ‘GET’ and you see the GET-typical codes — 200, 206, 301, 304, 404, 410.

That is the inverse view of the detail card: there, each code says ‘these methods trigger me’; the filter says ‘this method returns me the following codes’.

Which snippet languages does the exporter support?

Six target languages, all generated client-side:

TypeScript enum — export enum HttpStatus { NOT_FOUND = 404, … } with JSDoc comments.
Python dict — HTTP_STATUS_CODES = { 404: "Not Found", … } as a lookup map.
Go const block — const ( StatusNot_Found = 404 … ) in idiomatic Go style.
Rust enum — #[repr(u16)] pub enum HttpStatus { Not_Found = 404, … } with u16 representation.
Java record — public record HttpStatus(int code, String name) plus static final constants.
Ruby module — module HttpStatus NOT_FOUND = 404 … end as a constants container.

By default the exporter emits all codes — standard plus platform codes. You can narrow the selection with the ‘RFC standard only’ toggle; the platform world then disappears from the generated code. Both snippets are cleanly commented and can drop into a codebase as-is — no tests, no dependencies, no compiler warnings expected.

Why does this run pure-client without tracking?

This tool sends no request to a server. The whole status code database is embedded in the JavaScript bundle, search runs via String.prototype.toLowerCase and includes, snippet generation runs via template strings. No API calls, no telemetry, no cookies, no localStorage.

More in the OWASP Logging Cheat Sheet on what a tool search actually exposes — and why for security-relevant lookups (status-code research during an incident) it matters that the search does not end up in someone else’s log. The IANA HTTP Status Code Registry is the canonical source for IANA-registered codes; everything beyond that comes directly from platform documentation (Cloudflare 5xx errors, nginx HTTP request processing, Microsoft IIS HTTP status codes).

HTTP Status Codes — Cloudflare, nginx, Snippets

How It Works

Paste text or code

Instant processing

Copy result

Privacy

How do you use this tool?