Quick quiz — which status code is correct?
• You're not logged in → ?
• You're logged in but not allowed → ?
• The JSON is malformed → ?
• The JSON is valid but the email is invalid → ?
Answers:
• 401 Unauthorized → "who are you?" (missing/invalid auth)
• 403 Forbidden → "I know you, you still can't"
• 400 Bad Request → malformed request
• 422 Unprocessable → valid request, failed validation
The #1 mistake I see: returning 200 OK for a login failure, or 500 for bad
user input. Both break monitoring and make debugging miserable, because the
first digit of a status code is supposed to tell you whose fault it is:
2xx = success · 3xx = go elsewhere · 4xx = your fault · 5xx = server's fault
I put together a complete guide with real examples, a cheat-sheet table, and a
testing checklist for every category:
👉 https://www.orbittest.dev/blog/http-status-codes-explained
What's the most misused status code you've seen in the wild?
Top comments (0)