• Posted by: Eng. Donya Bino
• February 15, 2026

4xx Client Errors: 400 401 403 404

4xx Status Codes indicate there is an issue with your request; in this case, there is an issue with what the client (Chrome/Safari/etc) is doing, rather than the web server going down or crashing. You will see these codes on a regular basis when you are browsing, running API tests, running security scans, or when an attack occurs. Understanding 4xx Codes will allow you to debug your problems more quickly and to find areas of vulnerability. 

The following are examples of common 4xx Status Codes along with examples of situations when you would receive these codes:
400  Bad Request
A Server cannot understand/processing what you sent him. This generally is due to a syntax error example (missing required field/invalid format/invalid data), etc. 
Common Examples (Daily use): 
1. You attempt to post JSON to an API, but you forgot the quotes on the key: {“user”: admin} = 400; Invalid JSON.
2. URL Query String Too Long; URL Must Be Under 2000-8000 Characters (depending on server) So, In this case, The Server Will Reject Your Request.
3. You sent A Form, but The Content-Type Was Incorrect (for instance – you sent multipart when the server was expecting urlencoded). 

Security/Testing Example : 
Fuzzing A Login Form with Special Characters , Common Inputs Return Status Code of 200 or 401;  however, the Username=admin%00 (Null Byte) will return a 400 status code; therefore, indicates Back-end Input Filtering/Validation.

401 Unauthorized
Authentication Required & Not present, Wrong or Expired
Common Examples:
1. You try to access a private API route (e.g.: dashboard) without Bearer Token → 401
2. Popup for Basic Auth appears and you try to log in with incorrect password → 401
3. After a token's expiration and attempting to access protected resource, you will need a refresh token; otherwise you will receive a 401

Security / Testing Example:
Attacking through brute-force login → Valid Username however invalid password will return a 401 Error (due to invalid password) however if an attack attempts to use not valid username they may receive 400 Error or another message → This allows an attacker to determine whether there is a valid account or not.

403 Forbidden
You are logged in but Do Not have permission to access this specific resource 
Common Examples:
1. A regular user tries to navigate to/admin/dashboard → 403
2. After logging in, you try to download a file your user account doesn't have permission to access → 403
3. POST request CSRF Token is missing → Some servers return a 403

Security / Testing Example:
When attempting to perform Directory Brute-force → /backup.zip will return 403 indicating there may be a path and likely exists (however to maintain security), or if it returned 404 it is likely does not exist; thus the difference between 403 and 404 allows an individual to map resources that exist that are usually secured and hidden.

404 Not Found
The server cannot find the requested resource - Whether it is a web page, file, or API endpoint etc., Common Examples; 
1. Typo in URL: /products instead of /product → 404
2. Blog Post Deleted or old URL that is no longer valid → 404
3. API Endpoint exists however it is /api/v2/users → 404

Security/testing example: Fuzzing for admin panels → /admin.php → 404 on most sites. But /wp-login.php → 200 (even on non-WordPress) → attackers know it's a potential target.

Quick Everyday Reference
1. 400 : “You sent something broken” (fix your syntax/format).
2. 401 : “Who are you? Prove it.” (login/auth issue).
3. 403 : “I know who you are, but you can't do that.” (permission denied).
4. 404 : “I have no idea what you're asking for.” (resource missing).

Practical Tips for Normal Use
1. Frequent 401s or 403s on a site you typically utilize? Clear your cookies/cache, verify whether your password has changed, or verify whether you are being prompted for MFA.
2. Experiencing random 400s on forms submitted via the web? Review the dev tools (network tab) for malformed JSON and missing form fields.
3. Seeing many 404s in your own site logs? Check for either broken links, bots scanning your site, or someone fuzzing your website.
4. When conducting security testing, it is essential to understand the difference between 403 errors and 404 errors; generally speaking, a 403 error means the path exists, but it is protected from access.