Complete reference for status codes, methods, headers, and CORS ★ = most common
| 100 | Continue -- server received headers, send body |
| 101 | Switching Protocols -- upgrading (e.g. to WebSocket) |
| 102 | Processing -- request received, still working (WebDAV) |
| 103 | Early Hints -- preload resources before final response |
| 200 ★ | OK -- standard success response |
| 201 ★ | Created -- resource created (POST success) |
| 202 | Accepted -- request accepted, processing async |
| 203 | Non-Authoritative Info -- modified by proxy |
| 204 ★ | No Content -- success, no body (DELETE response) |
| 205 | Reset Content -- clear the form |
| 206 | Partial Content -- range request (video streaming) |
| 300 | Multiple Choices -- multiple options available |
| 301 ★ | Moved Permanently -- URL changed forever (SEO) |
| 302 ★ | Found -- temporary redirect (keeps POST as GET) |
| 303 | See Other -- redirect with GET after POST |
| 304 ★ | Not Modified -- use cached version |
| 307 | Temporary Redirect -- like 302, preserves method |
| 308 | Permanent Redirect -- like 301, preserves method |
| 400 ★ | Bad Request -- malformed syntax / invalid data |
| 401 ★ | Unauthorized -- auth required (no/bad credentials) |
| 402 | Payment Required -- reserved for future use |
| 403 ★ | Forbidden -- authenticated but not allowed |
| 404 ★ | Not Found -- resource doesn't exist |
| 405 | Method Not Allowed -- wrong HTTP method |
| 406 | Not Acceptable -- can't match Accept header |
| 407 | Proxy Auth Required |
| 408 | Request Timeout -- client too slow |
| 409 ★ | Conflict -- resource state conflict (e.g. duplicate) |
| 410 | Gone -- resource permanently deleted |
| 411 | Length Required -- Content-Length missing |
| 412 | Precondition Failed -- conditional header failed |
| 413 | Payload Too Large -- body exceeds limit |
| 414 | URI Too Long |
| 415 | Unsupported Media Type -- wrong Content-Type |
| 416 | Range Not Satisfiable |
| 418 | I'm a Teapot -- (RFC 2324, April Fools) |
| 422 ★ | Unprocessable Entity -- validation error |
| 429 ★ | Too Many Requests -- rate limited |
| 451 | Unavailable for Legal Reasons |
| 500 ★ | Internal Server Error -- generic server failure |
| 501 | Not Implemented -- method not supported |
| 502 ★ | Bad Gateway -- upstream server sent bad response |
| 503 ★ | Service Unavailable -- overloaded / maintenance |
| 504 | Gateway Timeout -- upstream server timed out |
| 505 | HTTP Version Not Supported |
| 507 | Insufficient Storage (WebDAV) |
| 508 | Loop Detected (WebDAV) |
| 511 | Network Authentication Required (captive portal) |
| GET | Retrieve resource. No body. Safe, idempotent, cacheable. |
| POST | Create resource / submit data. Has body. Not idempotent. |
| PUT | Replace entire resource. Idempotent. Has body. |
| PATCH | Partial update. Has body. Not necessarily idempotent. |
| DELETE | Remove resource. Idempotent. Usually no body. |
| HEAD | Like GET but no response body. Check existence/headers. |
| OPTIONS | Describe communication options. Used in CORS preflight. |
| TRACE | Echo request back. Debugging. Usually disabled. |
| CONNECT | Establish tunnel (HTTPS through proxy). |
REST API Conventions: GET /users List all users GET /users/42 Get user 42 POST /users Create new user PUT /users/42 Replace user 42 PATCH /users/42 Update user 42 partially DELETE /users/42 Delete user 42
| Accept | Media types client accepts (application/json) |
| Authorization | Credentials (Bearer <token>, Basic ...) |
| Content-Type | Body format (application/json, multipart/form-data) |
| Content-Length | Size of request body in bytes |
| Cookie | Send stored cookies |
| User-Agent | Client software identifier |
| Accept-Encoding | Supported compression (gzip, br, deflate) |
| Accept-Language | Preferred languages (en-US,en;q=0.9) |
| If-None-Match | ETag for conditional request (caching) |
| If-Modified-Since | Date for conditional request (caching) |
| Referer | URL of referring page |
| X-Requested-With | XMLHttpRequest (AJAX identifier) |
| Content-Type | Response body format |
| Set-Cookie | Set a cookie on the client |
| Location | Redirect URL (with 3xx) |
| ETag | Resource version identifier (caching) |
| Last-Modified | When resource was last changed |
| WWW-Authenticate | Auth method required (with 401) |
| Retry-After | Seconds to wait (with 429 / 503) |
| X-RateLimit-* | Rate limit info (Limit, Remaining, Reset) |
Cache-Control: public, max-age=31536000 Cache-Control: private, no-cache Cache-Control: no-store public Any cache can store private Only browser cache no-cache Must revalidate with server no-store Never cache (sensitive data) max-age=N Fresh for N seconds s-maxage=N CDN/proxy max age immutable Never changes (versioned assets) must-revalidate Stale = must check server
| Access-Control-Allow-Origin | Allowed origin (* or specific) |
| Access-Control-Allow-Methods | Allowed HTTP methods |
| Access-Control-Allow-Headers | Allowed request headers |
| Access-Control-Max-Age | Preflight cache duration (sec) |
| Access-Control-Allow-Credentials | Allow cookies cross-origin |
Preflight flow (OPTIONS): 1. Browser sends OPTIONS with Origin header 2. Server responds with Access-Control-* headers 3. If allowed, browser sends actual request
| application/json | JSON data |
| application/xml | XML data |
| text/html | HTML document |
| text/plain | Plain text |
| text/css | CSS stylesheet |
| application/javascript | JavaScript |
| multipart/form-data | File uploads |
| application/x-www-form-urlencoded | Form data |
| application/octet-stream | Binary data |
| image/png, image/jpeg | Images |