400
Bad Request
4xx Client Error
What Does HTTP 400 Bad Request Mean?
HTTP 400 Bad Request indicates that the server cannot or will not process the request due to something that the server perceives as a client error. The request itself is malformed — the server cannot even begin to understand what the client wants.
Unlike 401 (authentication) or 403 (authorization), a 400 error means the request structure or data is fundamentally broken. The server is saying: "I cannot make sense of what you sent me." This is one of the most common HTTP errors encountered by both developers and regular users.
Common Causes
- Malformed JSON body: Missing commas, unclosed brackets, or trailing commas in JSON payloads. Servers parse the Content-Type and reject bodies that do not match. Even a single misplaced character can trigger this.
- Invalid or missing required parameters: The API expects certain query parameters or form fields that are absent, misspelled, or have wrong data types (sending a string where an integer is expected).
- URL too long or contains invalid characters: Some servers cap URL length at 2,048 or 8,192 characters. Unencoded special characters in the URL (spaces, brackets, unicode) also cause 400 errors.
- Corrupted or oversized cookies: Browsers send cookies automatically. If a cookie becomes corrupted or the total cookie header exceeds the server's limit (typically 4-8 KB), the server rejects the entire request.
- Mismatched Content-Type header: Sending a JSON body with
Content-Type: text/plain, or sending form data withContent-Type: application/json. The server tries to parse the body according to the declared type and fails.
How to Fix It
For Developers
- Validate JSON before sending: Use
JSON.parse()in a try-catch to verify your payload is valid JSON before making the request. Tools like our JSON Formatter can help identify syntax errors. - Check Content-Type matches the body: If you are sending JSON, set
Content-Type: application/json. For form data, useapplication/x-www-form-urlencodedormultipart/form-data. - URL-encode query parameters: Use
encodeURIComponent()for values that may contain special characters. Never pass raw user input directly into URLs. - Read the response body: Good APIs include error details in the 400 response body: which field failed, what was expected, and what was received. Always log and inspect 400 response bodies.
- Check request size limits: Nginx defaults to 1MB for
client_max_body_size. If your request body exceeds the server's limit, you may get 400 (or 413 Payload Too Large).
For Regular Users
- Clear cookies for the site: Go to browser settings, find the site, and clear its cookies. Corrupted cookies are a common cause.
- Check the URL: Make sure the URL does not contain unusual characters or is not excessively long. Re-type it manually if you copied it from somewhere.
- Try incognito mode: This disables extensions and uses no cookies, isolating whether the issue is browser-specific.
- Reduce file upload size: If you are uploading a file, try a smaller one. The server may reject files exceeding its size limit.
Code Examples
Common API 400 Response
$ curl -i -X POST https://api.example.com/users \
-H "Content-Type: application/json" \
-d '{"name": "Jane", "email": "not-valid"}'
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error": "validation_error",
"details": [
{"field": "email", "message": "Invalid email format"}
]
}
Malformed JSON Causing 400
# Trailing comma makes this invalid JSON
$ curl -i -X POST https://api.example.com/data \
-H "Content-Type: application/json" \
-d '{"key": "value",}'
HTTP/1.1 400 Bad Request
{"error": "Malformed JSON in request body"}
Returning 400 in Express.js
app.post('/api/users', (req, res) => {
const { name, email } = req.body;
if (!name || !email) {
return res.status(400).json({
error: 'Missing required fields',
required: ['name', 'email'],
received: Object.keys(req.body)
});
}
// ... create user
});
Frequently Asked Questions
What causes a 400 Bad Request error?
A 400 error is caused by the client sending a request the server cannot process. The most common triggers: malformed JSON or XML in the request body, missing required fields or parameters, URL containing invalid characters, corrupted browser cookies, or a Content-Type header that does not match the actual body format.
How do I fix a 400 Bad Request as a regular user?
Try these steps in order: 1) Clear your cookies and cache for the specific website. 2) Double-check the URL for typos. 3) Try the page in an incognito/private window. 4) Disable browser extensions. 5) Try a different browser. If the problem persists across browsers and devices, the issue is likely on the server side and you should contact the site owner.
What is the difference between 400 and 422 errors?
400 Bad Request means the request is syntactically broken — the server cannot even parse it (e.g., invalid JSON). 422 Unprocessable Entity (from WebDAV, commonly used in REST APIs) means the request is syntactically correct but contains semantic errors (e.g., valid JSON but
"age": -5" fails business logic validation). Use 400 for parse errors, 422 for validation errors.