HTTP Status Codes: Complete 2026 SEO Reference Guide

Returned when a resource was fetched successfully. Every public URL you want Google to index must return 200. Verify with Google Search Console URL Inspection or curl -I. A common mistake: custom error pages that render visually like errors but still return 200 — these become soft 404s.

Used by REST APIs after POST/PUT creates a new resource. Not typically seen by crawlers on public HTML. If a headless CMS returns 201 to a GET request (misconfiguration), Google treats it as successful but expect edge cases in tooling.

Valid for tracking pixels, form submissions, and beacon endpoints. Never serve 204 on a user-facing HTML URL — Googlebot receives no body to index, effectively removing the page.

Used when a client requests a byte range (video streaming, large file download resume). Googlebot supports range requests for video indexing, so proper 206 handling on video assets matters for Video results in Search.

Signals that a resource has permanently moved to a new URL. Google consolidates link equity and ranking signals from the old URL to the new one. Use for URL restructures, HTTPS migrations, domain changes, and any scenario where the old URL will never return. 301 is cached aggressively by browsers — test carefully because reverting is painful.

Indicates a temporary move — the original URL will return. Use for A/B tests, geolocation redirects, temporary promotions, or maintenance. Google still passes signals through 302 (policy changed in 2016), but leaving a 302 in place long-term confuses canonical selection. After ~12 months Google will often treat a persistent 302 as a 301, but do not rely on that.

Like 302 but the HTTP method must be preserved (POST stays POST). For SEO purposes, 307 and 302 behave the same — both are temporary and keep the original URL as the canonical. Common in HSTS upgrades from HTTP to HTTPS before certificates are fully rolled out.

A stricter version of 301 that preserves the HTTP method. Google treats 308 and 301 identically for ranking purposes. Use 308 when you need method preservation (rare for public HTML sites); stick to 301 for standard content redirects where tooling compatibility matters.

Tells the client to fetch the target with a GET regardless of the original method. Classic use: redirect after form submission to prevent duplicate POSTs. Not commonly used for public content redirects — if you see a 303 on an indexed URL, investigate whether it should be 301 instead.

The server could not understand the request. Usually not seen by Googlebot on HTML URLs unless the site has a broken rewrite rule or the URL contains illegal characters. Treated similarly to 404 by crawlers.

The request requires authentication that was not provided. Googlebot cannot authenticate and will not index the URL. If a public page accidentally returns 401 (session middleware applied too broadly), it disappears from Search. Check with the URL Inspection tool when pages drop from the index unexpectedly.

The server understood the request but refuses to authorize it. Unlike 401, no authentication attempt will succeed. Common cause: IP-based blocks, WAF rules, or mod_security firing on Googlebot. Verify Googlebots user-agent and IP ranges are allow-listed on your CDN and origin.

The most famous status code. Returned when the URL does not map to any resource. Google de-indexes 404s after repeated crawls (typically weeks). 404s are normal and healthy — every large site has them. Worry about 404s only when a previously indexed, high-traffic URL starts returning them unexpectedly.

Signals the resource was intentionally removed and will not return. Google processes 410 faster than 404 — typically de-indexed within days rather than weeks. Use for discontinued products, deleted user accounts, retired campaigns, or legal takedowns where no redirect target exists.

Not SEO-relevant but included for completeness. Occasionally used by Cloudflare and other CDNs to block abusive bots with a playful message. Never return 418 on pages you want indexed.

The client sent too many requests in a given time. Googlebot handles occasional 429s gracefully — it backs off and retries. Persistent 429s reduce crawl rate and delay indexing. If your WAF rate-limits Googlebot itself, raise the limit or allow-list verified crawler IPs. Include a Retry-After header to guide backoff timing.

Used when content is removed for legal reasons — DMCA takedowns, GDPR erasure requests, geographic restrictions, court orders. Google treats it as de-indexable. Prefer 451 over 403 when the reason is genuinely legal, so users and regulators understand the context.

The catch-all 5xx. Usually indicates an unhandled exception, database connection failure, or misconfiguration. Occasional 500s are normal; sustained 500s signal instability. Alert on 500 rate > 1% of total requests.

A proxy or gateway received an invalid response from an upstream server. Common in microservices architectures when an origin crashes behind a CDN or load balancer. Googlebot retries 502s patiently but sustained 502s reduce crawl budget.

The correct status code for planned downtime. Return 503 with a Retry-After header (seconds or HTTP date) so Googlebot backs off and retries later. Never return 200 with a maintenance message — Google will treat the maintenance page as the canonical content and potentially de-index real pages. Keep 503 windows under 24 hours; sustained 503 for multiple days signals site abandonment.

A gateway or proxy did not receive a timely response from the origin. Common in slow database queries, cold-start serverless functions, or overloaded origins. Googlebot waits patiently on 504s but they count against crawl budget efficiency. Fix by optimizing slow paths or increasing upstream timeouts thoughtfully.