Every HTTP status code from 100 to 599, plus Cloudflare's 1xxx codes — with plain-English meaning, the headers that go with it, and what each one means for web scrapers specifically.
Reference for developers • Deep-link any code with #429 • See also: HTTP Headers Checker
The server received the request headers and the client should proceed to send the request body.
ExpectThe server is switching protocols as requested by the client via the Upgrade header.
UpgradeConnectionThe server has received and is processing the request, but no response is available yet (WebDAV).
Used to return preliminary headers (such as Link) before the final response.
LinkThe request succeeded. The meaning of success depends on the HTTP method used.
A 200 is the goal, but it is not a guarantee the body is what you expect. Anti-bot challenge pages, CAPTCHAs, and "are you a human" interstitials are frequently served with a 200. Always validate the body, not just the status code.
The request succeeded and a new resource was created as a result.
LocationThe request was accepted for processing, but the processing has not completed.
The request succeeded but there is no content to return in the response body.
The server is delivering only part of the resource due to a Range header sent by the client.
RangeContent-RangeAccept-RangesThe resource has permanently moved to a new URL given in the Location header.
LocationFollow the Location header and update your seed URLs — chasing the same old URL wastes requests on a redirect every time. Note some scrapers must preserve the method; 301 historically allowed clients to switch POST to GET.
The resource temporarily resides at a different URL given in the Location header.
LocationA redirect to a login or challenge page is a common soft block. If a 200 page suddenly 302s to /login or a captcha route, treat it as a session or fingerprint problem.
The response can be found at another URL using a GET request.
LocationThe resource has not changed since the version specified by the request headers; use the cached copy.
If-Modified-SinceIf-None-MatchETagLast-ModifiedIf you send conditional headers (ETag, If-Modified-Since) you may get a 304 with an empty body. Strip those headers when you actually want the full content back.
The resource temporarily resides at a different URL, and the request method must not change.
LocationThe resource has permanently moved, and the request method must not change.
LocationThe server cannot process the request due to a client error (malformed syntax, invalid framing).
Often a sign your request is malformed — bad headers, a corrupt cookie, or a body that does not match the Content-Type. Diff your request against a working browser request.
Authentication is required and has either failed or not been provided.
WWW-AuthenticateAuthorization401 means "who are you?" — the server wants credentials. This differs from 403, which means "I know who you are and you still cannot have this." Check your token, API key, or session cookie.
The server understood the request but refuses to authorize it.
cf-rayServerSet-CookieThe classic scraper block. A 403 with no real content usually means the request was identified as automated — IP reputation, TLS or browser fingerprint, or missing/odd headers. Compare a real browser request against your client request header-by-header to find the mismatch.
The server cannot find the requested resource.
Sometimes a 404 is a soft block (a "cloaked" 404) rather than a genuine missing page. If a real browser UA returns 200 for the same URL while a bare client gets 404, you are likely being fingerprinted.
The request method is known by the server but is not supported by the target resource.
AllowThe resource cannot produce a response matching the Accept headers sent by the client.
AcceptAccept-EncodingAccept-LanguageThe client must first authenticate itself with the proxy.
Proxy-AuthenticateProxy-AuthorizationA 407 almost always means your proxy credentials are wrong or missing. Check the username, password, and that the credentials are passed in the proxy URL or a Proxy-Authorization header.
The server timed out waiting for the request.
ConnectionThe request conflicts with the current state of the target resource.
The resource is permanently gone and no forwarding address is known.
Unlike a 404, a 410 is a strong signal to permanently remove the URL from your crawl queue — the server is telling you it will never come back.
The server refuses the request because it lacks a defined Content-Length header.
Content-LengthThe request body is larger than the server is willing or able to process.
Content-LengthRetry-AfterThe URI requested by the client is longer than the server is willing to interpret.
The media format of the request body is not supported by the server.
Content-TypeAcceptAn April Fools joke from RFC 2324 — the server refuses to brew coffee because it is a teapot.
Some services repurpose 418 as a non-standard "you have been flagged" response. If you get a teapot, treat it like a soft block and review your request fingerprint.
The request was well-formed but contains semantic errors that prevent processing.
The resource being accessed is locked (WebDAV).
The server is unwilling to risk processing a request that might be replayed.
The client has sent too many requests in a given amount of time ("rate limiting").
Retry-AfterX-RateLimit-RemainingX-RateLimit-Reset429 is the most common signal you have crossed a rate-limit threshold. Honour the Retry-After header, slow down, rotate IPs, or spread load across more sessions. Hammering through a 429 usually escalates to a longer block.
The resource is unavailable for legal reasons, such as censorship or a takedown.
A generic server error — something went wrong but the server cannot be more specific.
A 500 is the server's fault, not yours — but a sudden burst of 500s on previously-working requests can also indicate you triggered a defensive code path. Retry with backoff; if it persists for one URL only, the page itself is broken.
The server does not support the functionality required to fulfil the request.
A server acting as a gateway or proxy received an invalid response from an upstream server.
Retry-Aftercf-rayA 502 is upstream infrastructure failing, often transient. Retry with exponential backoff. Persistent 502s through a CDN can also mean the origin is rejecting the edge's forwarded request.
The server is not ready to handle the request — usually overloaded or down for maintenance.
Retry-Aftercf-raycf-mitigatedA 503 is not always "server overloaded." Many anti-bot products return a 503 while serving a JavaScript challenge page. Check the body and headers (e.g. cf-mitigated) — if it is a challenge, you need a client that can complete it, not just a retry.
A gateway or proxy did not receive a timely response from an upstream server.
Retry-AfterA 504 means the edge waited too long for the origin. Increase your client timeout and retry; if you control the request, simplify it (smaller payloads, fewer redirects) to come in under the gateway's limit.
The HTTP protocol version used in the request is not supported by the server.
The server detected an infinite loop while processing the request (WebDAV).
The client needs to authenticate to gain network access (e.g. a captive portal).
Cloudflare received an empty, unknown, or unexpected response from the origin server.
cf-rayServer520 is a catch-all Cloudflare error for an origin that misbehaved. It is usually transient and origin-side — retry with backoff. If it only appears for your client, the origin may be rejecting the forwarded request.
Cloudflare cannot establish a connection to the origin server.
cf-ray521 means Cloudflare cannot reach the origin at all. Nothing you change client-side will help while the origin is down — retry later.
Cloudflare timed out trying to establish a TCP connection to the origin.
cf-rayCloudflare cannot reach the origin server, often due to a routing or DNS problem.
cf-rayCloudflare connected to the origin but did not receive a timely HTTP response.
cf-ray524 is the Cloudflare equivalent of a gateway timeout — the origin was reached but answered too slowly. Simplify the request or retry; you cannot extend Cloudflare's origin timeout from the client.
The SSL/TLS handshake between Cloudflare and the origin failed.
cf-rayCloudflare could not validate the SSL certificate presented by the origin.
cf-rayUsually paired with a Cloudflare 1xxx error — typically an origin DNS resolution failure.
cf-rayCloudflare is rate-limiting the client based on a rate-limiting rule configured by the site owner.
cf-rayRetry-AfterCloudflare 1015 is rate limiting at the edge, before your request reaches the origin. Slow down, rotate IPs, and spread requests across more sessions. It behaves much like a 429 but is enforced by Cloudflare's network.
Scrappey handles rate limits, retries, and challenge pages for you — returning clean HTML, JSON, or Markdown from any URL with residential proxies included.
Each node is a status code, grouped by class. Lines connect codes that are commonly confused or that scrapers see together. Hover to highlight, click for the meaning and a jump link.
A 401 Unauthorized means the server does not know who you are — you need to provide valid credentials. A 403 Forbidden means the server knows who you are (or does not care) and still refuses access. For scrapers, a 403 usually points to IP reputation, fingerprinting, or header issues rather than missing credentials.
429 Too Many Requests is the standard rate-limit signal, and that is almost always what it means. Honour the Retry-After header, slow down, and rotate IPs. Occasionally a service uses 429 as a generic "too aggressive" block even when you are under the published quota, so also review request volume and concurrency.
The two clients send different fingerprints. Postman, a real browser, and a bare HTTP library differ in TLS handshake, HTTP/2 frame ordering, header order, and User-Agent. Anti-bot systems read those signals, so one client gets a 200 while another gets a 403 for the identical URL. Diff the full request to find the mismatch.
No. While 503 Service Unavailable can mean overload or maintenance, many anti-bot products return a 503 while serving a JavaScript challenge page. Check the body and headers (such as cf-mitigated) — if it is a challenge rather than a real outage, retrying alone will not help; you need a client that can complete the challenge.
Cloudflare uses a set of four-digit codes for edge-specific conditions. The most common is 1015 (You Are Being Rate Limited), enforced at Cloudflare's network before the request reaches the origin. They are distinct from standard HTTP codes and usually appear in the response body alongside a 5xx status.
Automate workflows visually. Streamline data collection processes.
Pre-built template for modern websites. Simplifies Scrappey integration.
Access via API marketplace. Easy integration with comprehensive docs.
Scalable actor-based automation. Reliable browser rendering.
AI-powered browser automation. Intelligent session management.
Scrape from your terminal. One command, pipeable output, CI-ready.
Portable skill for Claude Code + Codex. Browser-backed data access on demand.
LangChain connector — clean web data for any chain or agent.
LlamaIndex reader — load modern web pages straight into RAG.
Connect with 7,000+ apps. Automate workflows easily.
Visual workflow automation. Connect with 1,000+ apps easily.
Try It For Free. No Subscription Required. No Credit Card Required. Instant Set-Up. 150 Free Requests Are Waiting For You!