DevArbor
4xx Client Error

400 Bad Request

What it means

The server cannot or will not process the request because of something wrong with the request itself — malformed syntax, invalid framing, deceptive routing, or invalid request message. The client should not repeat the request without modifications.

Site Visitor

What can I do?

  • Double-check the URL for typos. If filling out a form, ensure all required fields are complete.
  • If the problem persists after retrying, contact the site owner.
Developer

How to debug & fix

  1. Validate all inputs before processing — return 400 with a descriptive error message
  2. Use a schema validation library (Zod, Joi, Pydantic) to catch bad requests early
  3. Always include a body explaining exactly what was wrong: {"error": "Missing required field: email"}
  4. Log the full invalid request body server-side (redacted of PII) so you can reproduce issues reported by API consumers.
  5. Return machine-readable error codes alongside human text: {"code":"MISSING_FIELD","field":"email"}.

Code Example

Node.js / Express
app.post('/users', (req, res) => {
  const { error } = userSchema.validate(req.body);
  if (error) {
    return res.status(400).json({
      error: 'Bad Request',
      details: error.details
    });
  }
  // proceed...
});

Related Status Codes

422 Unprocessable Entity 415 Unsupported Media Type

How HTTP Status Codes Work

Every HTTP response carries a three-digit status code that tells the client — browser, API consumer, or search-engine crawler — exactly what happened. The first digit defines the class: 1xx informational (request in progress), 2xx success, 3xx redirection, 4xx client error (bad request, missing auth, not found), and 5xx server failure.

Status codes are standardised in RFC 9110 (HTTP Semantics, 2022). Extensions like WebDAV (RFC 4918) and rate-limit headers (RFC 6585) added codes beyond the core set. When a client receives an unrecognised code, the rule is to treat it as the generic x00 of its class.

Why the Right Code Matters

Semantically correct codes help search engines index accurately (301 passes link equity; 410 removes pages faster than 404), allow API clients to implement correct retry logic (429 + Retry-After, 503 + Retry-After), and let monitoring systems distinguish bugs (500) from load issues (503) from auth failures (401/403).

Looking up a different status code? The full reference covers all HTTP codes with causes, fix guides, and copyable code examples for Node.js and Python.

Browse the full HTTP Status Code reference →

Frequently Asked Questions

What does HTTP 400 Bad Request mean?
The server cannot or will not process the request because of something wrong with the request itself — malformed syntax, invalid framing, deceptive routing, or invalid request message. The client should not repeat the request without modifications.
Is HTTP 400 the visitor's fault?
HTTP 400 Bad Request is generally a client-side error, meaning the request itself has an issue. However, many causes — such as a broken link on the site or a misconfigured redirect — are the website owner's responsibility, not the visitor's.
How do I fix HTTP 400 Bad Request?
As a visitor: check the URL for typos, go to the homepage, or search for the content. As a developer: validate all inputs before processing — return 400 with a descriptive error message.