400 Bad Request

The HTTP 400 Bad Request status code is a generic client error returned by the server to indicate the request was malformed or otherwise invalid. Some ambiguity exists between 4xx codes, and in cases not explicitly covered by a more specific status, servers return 400 Bad Request as a catch-all.

Table of Contents

Usage

When a 400 Bad Request error arrives, the client is responsible for examining the message body to learn more about the failure. The server returns sufficient detail for the client to rectify the problem. Common reasons for a 400 Bad Request response include:

  • URL syntax error: illegal characters in the request path or query string.
  • Uploading a file exceeding the server's configured size limit.
  • Invalid Cookies: login cookies expired or corrupted.
  • DNS cache error: client-side DNS cache has expired or become corrupt, and the resolved address is no longer valid.

When these errors occur, the client might try double-checking the URL, clearing browser Cookies, or compressing an oversized file before retransmitting.

SEO impact

Search engines like Google do not index a URL returning a 400 status. Previously indexed URLs returning this status code are removed from search results. Pages returning this code do not waste crawl budget.

Example

The client requests a resource containing curly bracket characters in the path. These are not valid in a URL, so the server responds with 400 Bad Request.

Request

GET /index{15}.html HTTP/1.1
Host: www.example.re

Response

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=UTF-8
Content-Length: 131

<html>
  <head>
    <title>Malformed URL</title>
  </head>
  <body>
    <p>Invalid characters in HTTP request</p>
  </body>
</html>

How to fix

A 400 Bad Request means the server rejected the request due to a client-side formatting problem.

  1. Check the URL for encoding errors. Special characters like curly braces, spaces, or non-ASCII characters need percent-encoding. Inspect the full request path and query string. Run the URL through a validator to catch illegal byte sequences.

  2. Validate request headers. A malformed Host header, oversized Cookie header, or missing required header triggers this error. Compare headers against the API specification. Use browser DevTools (Network tab) or curl -v to inspect the raw headers sent with the request.

  3. Inspect the request body for syntax errors. Invalid JSON, broken form encoding, or a mismatch between the Content-Type header and actual body format causes rejection. Validate JSON payloads with a linter before sending.

  4. Clear browser cache and Cookies. Corrupted or expired Cookies produce malformed request headers. Large cookie values exceeding server buffer limits are a frequent trigger. Clear stored data and retry.

  5. Verify Content-Length against the actual body size. A mismatch between the declared and transmitted byte count results in a bad request response.

  6. Check server-side size limits. nginx rejects oversized headers with a 400 when they exceed the buffer configured by large_client_header_buffers (default: 4 buffers of 8 KB). Increase the value in nginx.conf:

    large_client_header_buffers 4 16k;

    Apache enforces LimitRequestFieldSize (default 8190 bytes) and LimitRequestLine. Raise these in the server config or virtual host:

    LimitRequestFieldSize 16384
LimitRequestLine 16384

  7. Enable debug logging to identify the exact cause. nginx logs the rejection reason at the info level. Set error_log to info and review /var/log/nginx/error.log. Apache logs the offending header name in the error log at LogLevel info.

  8. Inspect reverse proxy header forwarding. When nginx or Apache operates as a reverse proxy, an incorrectly set Host, X-Forwarded-For, or X-Real-IP header causes the backend to reject the request. Verify the proxy_set_header directives pass valid values.

Code references

.NET

HttpStatusCode.BadRequest

Rust

http::StatusCode::BAD_REQUEST

Rails

:bad_request

Go

http.StatusBadRequest

Symfony

Response::HTTP_BAD_REQUEST

Python3.5+

http.HTTPStatus.BAD_REQUEST

Java

java.net.HttpURLConnection.HTTP_BAD_REQUEST

Apache HttpComponents Core

org.apache.hc.core5.http.HttpStatus.SC_BAD_REQUEST

Angular

@angular/common/http/HttpStatusCode.BadRequest

Takeaway

The 400 Bad Request status code is a client error indicating the server found the request invalid. The most common cause is a malformed URL or incorrect request syntax. In rare instances, the error stems from the server side.

See also

Last updated: March 4, 2026