What's the difference between 401 and 403?

401 = auth failure ('who?'). WWW-Authenticate tells the client which scheme (Basic, Bearer). 403 = authenticated but not authorized ('no.'). Like trying to read another user's record with a valid token.

Both are temporary redirects. 302 may change the method (POST → GET, for legacy compatibility). 307 preserves the method — a POST stays a POST. Prefer 307 for new code.

Cache-Control: no-cache vs no-store?

no-cache = do cache, but revalidate with the server every time (If-None-Match → 304). no-store = don't cache at all. Use no-store for auth token responses and payment pages; use no-cache + ETag for normal static resources.

Why do I need security headers (HSTS, CSP)?

HSTS prevents man-in-the-middle attacks (after one response, the browser enforces HTTPS itself). CSP blocks XSS by stopping untrusted scripts from running. Both are one-line headers with major security wins; their absence shows up immediately on securityheaders.com or Mozilla Observatory.

Does this tool call any external APIs?

No. The 35 status codes, 17 headers, and all narrative text are bundled as static JSON on the client. Zero external calls — the tool works on internal networks and offline.

1xx–5xx · common headers

401 vs 403, Cache-Control flavors, CORS preflight — answered fast.

100ContinueRFC 9110 §15.2.1
Sent before a large POST body so the server can OK or reject it via Expect: 100-continue. The client withholds the body until that 100 arrives — saves bandwidth on rejected uploads.
101Switching ProtocolsRFC 9110 §15.2.2
WebSocket / HTTP/2 upgrade response. After the Upgrade header negotiation, the same connection switches to a different protocol.
103Early HintsRFC 8297
Hints (Link: rel=preload) sent before the main response. Browsers begin fetching CSS / JS while the server is still working — a TTFB win.
200OKRFC 9110 §15.3.1
Standard success with a body. Used by GET, POST, PUT — the server commits to providing a body.
201CreatedRFC 9110 §15.3.2
Resource was created. Usually accompanied by a Location header pointing to the new resource. The canonical response to POST /users.
202AcceptedRFC 9110 §15.3.3
Received but processed asynchronously. Background jobs, queued mail, video encoding. Pair with a polling URL the client can check.
204No ContentRFC 9110 §15.3.5
Success without a body. PUT, DELETE, post-form-submit redirects. Send Content-Length: 0.
206Partial ContentRFC 9110 §15.3.7
Partial range response. Video streaming, chunked downloads. Send a Content-Range header so the client knows the slice.
301Moved PermanentlyRFC 9110 §15.4.2
Permanent move. Search engines and browsers cache the new URL. Standard for domain migration and forced HTTPS. Method may change — use 308 to preserve.
302FoundRFC 9110 §15.4.3
Temporary move. Not cached. A/B tests, login branching, transient redirects. POST → GET (legacy compatibility).
304Not ModifiedRFC 9110 §15.4.5
Conditional GET hit. Pair with If-None-Match / If-Modified-Since. No body — bandwidth savings is the point.
307Temporary RedirectRFC 9110 §15.4.8
Like 302 but the method is preserved. A POST stays a POST at the new URL.
308Permanent RedirectRFC 9110 §15.4.9
Like 301 but the method is preserved. The proper permanent redirect for REST APIs.
400Bad RequestRFC 9110 §15.5.1
The request itself is wrong. JSON parse failure, bad method, format error. The 4xx default when nothing more specific fits.
401UnauthorizedRFC 9110 §15.5.2
Authentication is required. WWW-Authenticate tells the client which scheme (Basic, Bearer, Digest). The auth is missing or failed (expired token).
402Payment RequiredRFC 9110 §15.5.3
Almost never used. Stripe and other payment SaaS use it for card decline. The spec marks it 'reserved'.
403ForbiddenRFC 9110 §15.5.4
Authenticated but not authorized. Token is valid, just no permission for this resource. Don't confuse with 401 — 401 = 'who?', 403 = 'no.'
404Not FoundRFC 9110 §15.5.5
Resource not found. The route doesn't exist or the ID didn't match. Often used in place of 403 to avoid leaking which IDs exist (GitHub pattern).
405Method Not AllowedRFC 9110 §15.5.6
Wrong method on a real route. The route exists; the method (GET / POST / etc.) isn't defined for it. List allowed methods in an Allow header.
406Not AcceptableRFC 9110 §15.5.7
Client's Accept header asked for a format the server can't provide (e.g. application/xml). Content negotiation failed. Rare in practice.
408Request TimeoutRFC 9110 §15.5.9
Client too slow — connection timed out. Usually keep-alive idle expiry. Client opens a fresh connection and retries.
409ConflictRFC 9110 §15.5.10
Conflict with current state. Duplicate signup, simultaneous edits, optimistic-lock failure. Explain the conflict in the body.
410GoneRFC 9110 §15.5.11
Permanently removed. Different from 404 — this is an explicit 'we deleted this'. Speeds up SEO deindex.
413Content Too LargeRFC 9110 §15.5.14
Request body too large. Upload limit exceeded. Tell the client the limit (Retry-After or in the body).
415Unsupported Media TypeRFC 9110 §15.5.16
Unsupported Content-Type. E.g. an endpoint that only accepts application/x-www-form-urlencoded received application/json.
418I'm a teapotRFC 2324
I am a teapot. RFC 2324's April Fool's joke. Some sites use it as a bot-block signal (Google has).
422Unprocessable ContentRFC 9110 §15.5.21
JSON parses fine, but the values fail validation. More specific than 400 — common in Laravel, FastAPI, Rails.
429Too Many RequestsRFC 6585 §4
Rate limit hit. Retry-After tells the client when to try again (seconds or HTTP-date).
451Unavailable For Legal ReasonsRFC 7725
Blocked for legal reasons (censorship). RFC 7725 — named for Fahrenheit 451. EU GDPR, Korean MOIS, US DMCA.
500Internal Server ErrorRFC 9110 §15.6.1
Server-side code error. Exception, null pointer, DB outage. Show users a generic message; log the full stack.
501Not ImplementedRFC 9110 §15.6.2
Server doesn't recognize the method (PROPFIND, etc.). Different from 405 — 405 has the route but not the method.
502Bad GatewayRFC 9110 §15.6.3
Proxy got a bad response from upstream. The origin behind nginx / a CDN died or returned garbage.
503Service UnavailableRFC 9110 §15.6.4
Service temporarily unavailable. Restart, overload, maintenance. Add Retry-After — search engines will revisit on 503 + Retry-After.
504Gateway TimeoutRFC 9110 §15.6.5
Proxy didn't get a response in time. Different from 502 — 502 is bad reply, 504 is no reply.
511Network Authentication RequiredRFC 6585 §6
Captive-portal trigger — hotel / airport Wi-Fi 'agree to terms' redirects. RFC 6585.

When to use it

Mid-debug, you need to recheck what 401 vs 403 means. You're writing a Cache-Control header and want a quick reminder of no-cache vs no-store. You're drafting a CSP or HSTS line and want to scan the options fast.

35 codes + 17 headers

Thirty-five HTTP status codes (1xx, 2xx, 3xx, 4xx, 5xx) and seventeen common headers, with search and category / group filters. Each entry has a Korean and English narrative plus an RFC citation.

The pairs that get confused most:

401 vs 403 — 401 is "who?" (auth is missing or failed). 403 is "no" (authenticated, but not authorized).
302 vs 307 — both are temporary redirects. 302 may change the method (POST → GET); 307 preserves it. Prefer 307 for new code.
502 vs 504 — 502 is an upstream that returned a bad response; 504 is no response at all (timeout).
no-cache vs no-store — no-cache caches but revalidates every time; no-store doesn't cache at all.
HSTS vs CSP — HSTS forces HTTPS (blocks MITM); CSP blocks untrusted scripts (XSS defense).

Sources

RFC 9110 — Semantics
RFC 9111 — Caching
RFC 6585 — additional codes (428, 429, 511)
RFC 7725 — 451
RFC 2324 — 418
W3C CSP3, Fetch, Referrer Policy
MDN HTTP docs

Privacy

The 35 status codes, 17 headers, and all narrative text are bundled as static client JSON. Zero API or CDN lookups — the tool works on internal networks and offline.

Not the right tool when

Non-standard responses (custom codes like 599) — only standard codes are listed. For a private code, ask the backend's docs.
gRPC status codes — gRPC's 0–16 are separate from HTTP. Not modeled here.
Hot topics like brotli dictionary compression — new headers wait for a stable RFC before being added.

Zero external calls

All 35 status-code and 17 header metadata + narratives are bundled as static JSON on the client. No API or CDN lookups — the tool works on internal networks and offline.

Frequently asked questions

What's the difference between 401 and 403?: 401 = auth failure ('who?'). WWW-Authenticate tells the client which scheme (Basic, Bearer). 403 = authenticated but not authorized ('no.'). Like trying to read another user's record with a valid token.
302 vs 307?: Both are temporary redirects. 302 may change the method (POST → GET, for legacy compatibility). 307 preserves the method — a POST stays a POST. Prefer 307 for new code.
Cache-Control: no-cache vs no-store?: no-cache = do cache, but revalidate with the server every time (If-None-Match → 304). no-store = don't cache at all. Use no-store for auth token responses and payment pages; use no-cache + ETag for normal static resources.
Why do I need security headers (HSTS, CSP)?: HSTS prevents man-in-the-middle attacks (after one response, the browser enforces HTTPS itself). CSP blocks XSS by stopping untrusted scripts from running. Both are one-line headers with major security wins; their absence shows up immediately on securityheaders.com or Mozilla Observatory.
Does this tool call any external APIs?: No. The 35 status codes, 17 headers, and all narrative text are bundled as static JSON on the client. Zero external calls — the tool works on internal networks and offline.

Other tools