method may → GET method preserved
permanent 301 Moved 308 Permanent Redirect
temporary 302 Found 307 Temporary Redirect
after POST 303 See Other → always GET (PRG pattern)
# Verify what a redirect really does:
curl -si -X POST https://example.com/old | head -3
HTTP/1.1 301 Moved Permanently
Location: https://example.com/new
# many clients will now GET /new — the POST body is gone
429 Too Many Requests(定义于 RFC 6585,而非核心规范)是协议的背压阀门:请求被理解了,只是客户端发得太快。合格的 429 会带上 Retry-After 头,它接受两种格式 — 秒数增量(Retry-After: 30)或绝对的 HTTP-date — 客户端应当遵守它,而不是按自己的节奏重试。多数真实 API 还会补充配额遥测头(X-RateLimit-Limit / Remaining / Reset 家族,正在被标准化为 RateLimit 字段),让客户端在撞墙之前而非之后就能自我调速。
要不要重试取决于三个问题。这个失败可重试吗?5xx 一般可以,4xx 一般不行 — 请求本身有缺陷 — 例外是 408、429 以及(需谨慎的)425。这个方法重复执行安全吗?GET、PUT、DELETE 被定义为幂等;而中途超时的 POST 可能已经在看不见的地方成功了,盲目重试 POST 有重复扣款的风险 — 这正是支付 API 引入幂等键的原因。重试该怎么间隔?带抖动的指数退避 — 一群按同一固定节奏重试的客户端会重新同步成一波波冲击,把正在恢复的服务器再次压垮。
事故期间,5xx 三兄弟是一张分诊地图。502 Bad Gateway:代理连上了上游却收到垃圾 — 查应用进程(崩溃、OOM)。503 Service Unavailable:主动拒绝 — 过载、维护、健康检查失败,可能附带 Retry-After。504 Gateway Timeout:上游迟迟不响应 — 查慢查询、死锁、耗尽的连接池。
HTTP/1.1 429 Too Many Requests
Retry-After: 30
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1751414460
Retry decision cheat sheet:
408, 429, 5xx → retry with exponential backoff + jitter
other 4xx → do not retry; fix the request
POST → only retry with an idempotency key
backoff: 1s → 2s → 4s → 8s (+ random jitter each step)
Type a code (404), partial name (gateway), or keyword (auth) into the search box.
Browse the filtered list grouped by status class.
Read the canonical name and one-line description for the matching codes.
Use the colour coding to quickly spot 4xx (client error) vs 5xx (server error).
Reference the result in your API design, log analysis, or error handling code.
常见用例
Choosing the right status code for a new REST API endpoint.
Investigating a strange status code (e.g., 418, 451) you saw in a server log.
Deciding between 401 Unauthorized and 403 Forbidden for an auth flow.
Documenting expected error responses in an OpenAPI / Swagger spec.
Understanding why a CDN returned 503 vs 504 during an outage.
Mapping HTTP errors to user-facing error messages with consistent semantics.
常见问题
Q. When should I return 401 vs 403?
A. 401 means "not authenticated, present credentials"; 403 means "authenticated but not allowed". If the client has no valid session, send 401. If they are logged in but lack permission, send 403.
Q. Is 422 the same as 400?
A. Both are 4xx, but 400 means the request itself is malformed (bad JSON, missing header) while 422 means the request is well-formed but semantically invalid (validation failed).
Q. Should I always use 200 for successful POSTs?
A. 201 Created is more precise when you create a new resource and 204 No Content when you succeed but return no body. 200 is correct when you do return a representation.
Q. What does 429 mean for rate limiting?
A. 429 Too Many Requests signals the client should slow down. Pair it with a Retry-After header so clients know when to try again.