What is the difference between a 400 and a 404 error?

A 400 Bad Request means the server could not even make sense of the request you sent, usually thanks to a malformed URL, a bad header, or an oversized cookie, so it never got far enough to look anything up. A 404 Not Found is different: the request read perfectly, there is simply no resource at that address. Put bluntly, 400 is a broken request and 404 is a missing page.

Why does clearing cookies fix a 400 Bad Request?

Every visit, your cookies ride to the server inside the request headers. If a cookie for that website has ballooned or gone corrupt, the combined header can run past what the server will accept, or just fail to parse, and the answer is a 400. Delete the cookies for that one website and your next visit issues a clean, small set, which usually slips under the limit and lets the request through.

What does 400 Bad Request: Request Header Or Cookie Too Large mean?

It is a specific flavor of 400 that servers like nginx return when the request headers, the cookies most of the time, outgrow the buffer reserved for them (8 KB by default on nginx). As a visitor, clearing the cookies for that website almost always sorts it. As the owner, you can raise large_client_header_buffers in nginx, but you are better off also cutting the cookie bloat so the headers stay small to begin with.

Is a 400 error my fault or the website's fault?

Usually it is something local to you, not the website going down: a stale or oversized cookie, a URL typo, an extension tampering with the request, or a bad DNS cache. That is why clearing cookies and checking the URL come first. Still, the website can be at fault. If an API, form, or endpoint keeps returning 400 to a correct request, the trouble lies in how the server validates or accepts requests, and only the owner can fix that.

Why am I getting a 400 Bad Request from an API?

From an API, a 400 nearly always means the request did not match what the endpoint expects: a malformed or wrongly encoded body (invalid JSON, say), a missing or incorrect content-type header, an absent required field, or a bad query parameter. Inspect the exact request with curl -v or your client's logs, line it up against the API documentation, and fix the malformed part. Resending the same request unchanged will keep returning 400.

Does a 400 error hurt SEO?

A real 400 should not turn up on a normal, well-formed page request, so it rarely touches the public URLs a search engine crawls. If Googlebot kept getting a 400 on pages you want indexed, those pages could not be crawled or indexed, but that signals a real request-handling or edge-rule problem to fix. Pages meant to be public have to return 200, so check that no proxy or WAF rule is turning a clean request into a 400.

Why does the same page work in incognito but show a 400 normally?

An incognito or private window opens with no cookies from your usual session and typically without your extensions running. If the page loads there but 400s in your regular window, the culprit is riding along with your normal profile: almost always a stale or oversized cookie for that website, or an extension rewriting the request. Clear that website's cookies in your main browser, then disable extensions one by one, and you will narrow down which it is.

What is the difference between 400 Bad Request and 422 Unprocessable Content?

The split is about where the request fails. A 400 means the server choked at the HTTP level: broken syntax, bad framing, or malformed headers, so the request never reached your application code at all. A 422 is the opposite, the request parsed fine and the server understood it, but the contents broke a validation or business rule. Picture a perfectly structured JSON body whose email field is not actually a valid email. Reach for 400 when the request is unreadable, and 422 when it reads cleanly but violates a rule.

Besides cookies, what causes Request Header Or Cookie Too Large?

Cookies are only the usual suspect. Anything that overflows the server's header buffer will do it. An SSO or auth layer that bolts on long or numerous headers, a fat Authorization token, a stack of forwarded headers from a chain of proxies, even a bloated Referer: any of these can push the request past the limit, which nginx sets at 8 KB by default. Cut down what the client sends first. Only raise large_client_header_buffers on the server once you have confirmed the headers are genuinely large.

Can a 400 ever be the website's fault rather than mine?

It can. When a properly formed request still comes back 400, the trouble is server-side. Maybe an API or form validates input too aggressively and rejects data that is actually valid. Maybe a buffer is set too small to fit ordinary headers. Or a WAF, CDN, or proxy rule mangles or refuses the request before the application ever sees it. Once clearing cookies, fixing the URL, and trying incognito all come up empty, the fault has shifted to the website's request handling.

Why does a very long URL return a 400 instead of loading?

There are two ways an overlong URL breaks. Some servers answer 414 URI Too Long when the request line passes their limit. Others, or the same server tuned differently, return a plain 400 because they cannot parse the oversized or malformed request line. The fixes: shorten the URL, push long parameters into a POST body, or, if the server is yours, bump large_client_header_buffers in nginx, which also governs the request line.

Should I retry a 400 the way I would retry a 500?

No, and the reason is simple. A 5xx is a server-side failure that might clear on a second try, so backing off and retrying is reasonable. A 400 says the request itself is broken. Send it again unchanged and you get the same 400, every time, by design. Repair the request first, clear the offending cookie, fix the URL, or correct the payload, then send it. Hammering a 400 with blind retries just adds noise and can trip rate limits.

400 Bad Request

You hit a page and instead of content you get a curt 400 Bad Request. The server is reachable and alive, but it looked at what your browser sent, could not make sense of it, and gave up before doing anything else. The request itself was broken, so reloading it unchanged just earns the same rejection.

Updated June 2026 · 8 min read

Written by

Andrian Valeanu Founder of Pulsetic

Andrian Valeanu founded Pulsetic and, before it, Designmodo. Across 15-plus years he has shipped web products, design tools, and monitoring software teams around the world rely on.
Reviewed by

Ionut Caval Technical reviewer

Ionut Caval reviews Pulsetic's technical guides for accuracy. He works hands-on with web servers, networking, and uptime monitoring day to day, and makes sure the causes and fixes here hold up in production.

The short version: In most cases the fix lives on your end. Clear the cookies and cache for that one website, retype the URL to strip out any typos or stray characters, and load the page in an incognito window. If that does it, the culprit was a stale or oversized cookie.

Key takeaways

400 Bad Request means the server could not parse the request itself: malformed syntax, invalid message framing, or, per RFC 9110, anything the server perceives as a client error. It stops before checking identity, permission, or whether the page exists.
The word server is misleading here. The broken request almost always starts on your side, and the two usual triggers are a corrupted or oversized cookie and a URL with a typo or an illegal character.
One variant in particular, 400 Bad Request: Request Header Or Cookie Too Large, shows up on servers like nginx when the request headers blow past the buffer, 8 KB by default. For a visitor, clearing that website's cookies almost always fixes it.
Since the cause rides along with your browser or the request, the same page usually loads in an incognito window or on another device. That is the fastest way to prove the problem is local rather than the website being down.
A 400 is a genuine HTTP response, so the server still looks healthy from outside. An up-or-down ping will report the website up while a broken API or form endpoint quietly keeps rejecting requests.

Error type: HTTP 4xx client error
Whose side: Usually your side; sometimes the website
Fix difficulty: Easy
Common cause: The server could not parse the request

What does 400 Bad Request mean?

A 400 Bad Request is an HTTP status code in the 4xx family, which puts the problem on the request side rather than down to a crash on the server. Per the HTTP specification and MDN, the server returns a 400 when it refuses to process the request because of something it treats as a client error, typically malformed request syntax, invalid message framing, or a deceptive request route. The server bails out at the parsing stage. It never reaches the logic that would check authentication, permissions, or whether the page even exists, because the request was unreadable before any of that mattered. Send the same request again unchanged and it fails again with the same 400.

The word server in the message is a red herring. The broken request usually comes from the visitor's side, and two triggers account for most cases: a corrupted or oversized cookie sitting in your browser, and a URL carrying a typo or an illegal character. Less often the blame falls on a stale local DNS entry, a browser extension that rewrites the request, or an upload bigger than the server will take. And because the cause travels with your browser or the request itself, the same page often loads fine in an incognito window or on another device, which is the quickest way to tell whether the problem is local or the website is actually down.

The path a request takes from your browser to the website's servers. A 400 Bad Request is produced at the highlighted stages.

400: HTTP status code
4xx: Client-side error class
8 KB: Default nginx header buffer size

How the 400 Bad Request error appears

The wording changes depending on your browser, device, or server. Here is how this error commonly shows up:

400

Bad Request

Your browser sent a request that this server could not understand.

What a 400 Bad Request looks like in the browser. The exact wording varies by browser, device, and server.

400 Bad Request
HTTP Error 400
Bad Request
Error 400
400 Bad Request: Request Header Or Cookie Too Large
400 Bad Request nginx

400 vs 401, 403 and 404

All four are 4xx client errors, but each one fails at a different point in handling the request.

Code	What it means	Who fixes it
400 Bad Request	The server could not even parse the request: malformed syntax, a bad header, or an oversized cookie. It never got as far as checking who you are or what you wanted.	Usually the client or app sending the request; sometimes a browser cookie or a proxy.
401 Unauthorized	The request was understood, but you have not proven who you are. The resource is gated behind authentication and valid credentials would let you in.	The visitor, by logging in, or whoever holds the API token or auth config.
403 Forbidden	The request was understood and you may be authenticated, but the server refuses to authorize access to that resource. Re-sending credentials will not help.	The website owner or admin, by fixing permissions, rules, or the firewall.
404 Not Found	The request was fine, but there is no resource at that URL, or the server is hiding one it will not admit exists.	The website owner, by restoring the resource or link; or the visitor, by correcting the address.

400 vs 401, 403, 404 and 429 at a glance

All five are 4xx client errors, but each fails at a different stage of handling the request, points at a different person, and has a different typical cause.

Code	Meaning	Whose fault	Typical cause
`400` Bad Request	The request could not be parsed at all	Usually the client; sometimes a proxy or edge rule	Oversized cookie, malformed URL, bad request body
`401` Unauthorized	Not authenticated; the server does not know who you are	The caller, or the auth configuration	Missing, wrong, or expired credentials or token
`403` Forbidden	Authenticated or not, access is refused	The website owner; sometimes the visitor (a block)	Permissions, an IP or WAF rule, hotlink protection
`404` Not Found	No resource exists at that URL	The website owner, or the visitor (typo)	Deleted or moved page, broken link, bad rewrite
`429` Too Many Requests	You hit a rate limit; slow down	Mostly the client; the server can raise limits	Too many requests in a window, shared IP, a loop

What causes 400 Bad Request?

Oversized or corrupted cookies for that website. This is the single most common cause: a bloated or stale cookie makes the request header too large or unreadable, and the server throws it out (often shown as 400 Bad Request: Request Header Or Cookie Too Large).
A request header that overruns the server's buffer limit even without huge cookies, say when a proxy, SSO, or auth layer keeps stacking on headers until they pass the default size.
A malformed or mistyped URL: a typo, a stray space, or a missing = or & in a query string the server cannot parse.
Invalid or badly encoded characters in the URL. Think a literal {, or broken percent-encoding like %%20 where %20 was meant.
A stale or corrupted local DNS cache that no longer lines up with the website's current records, so the request leaves malformed or aimed at the wrong place.
A browser extension, ad blocker, or security tool that rewrites the request headers, cookies, or URL before it ever leaves the browser.
An upload or POST body bigger than the server accepts, or a malformed request body such as invalid JSON sent to an API, which the server cannot read.

How to find the cause fast

Pin down the scope first. Does every website throw a 400, or only this one URL? A single website points to its cookies or a bad link; errors everywhere point to your browser, an extension, or your DNS cache.
Read the URL slowly, looking for typos, stray spaces, and characters that should have been encoded. Then follow a known-good link to the same website instead of one you typed by hand.
Open the page in an incognito or private window. It runs without your cookies and most of your extensions, so if the page loads there, a stored cookie or an add-on on your normal profile is to blame.
Own the endpoint? Reproduce the error with curl -v or the browser network panel to see the exact request line, headers, and body the server is rejecting.

curl -sI 'https://example.com/search?q=%'HTTP/1.1 400 Bad Request# the % is an invalid URL escape the server rejected

What a 400 Bad Request looks like from the command line. The grey lines starting with # are explanatory comments.

How 400 Bad Request looks from the outside

A 400 is a genuine HTTP response, so from outside the server still looks fine: the connection opens, TLS completes, and a reply comes back fast, just carrying the wrong status code. A plain up-or-down ping will call the website up while a broken endpoint keeps turning requests away. To catch it, check the actual status code on the URL that matters, not just whether the host answers. One more thing worth knowing: a 400 usually reflects the specific request that was sent, so an API or form can 400 on malformed input while the rest of the website runs perfectly.

To confirm the exact code a URL returns, or to re-test several at once after a fix, run them through the free bulk URL status checker.

How to fix 400 Bad Request

If you are a visitor

Clear the cookies and cache for that specific website. A corrupted or oversized cookie is the most common trigger, and you rarely need to wipe data for every website to fix it.
Read the URL again for typos, extra spaces, and missing or illegal characters. Retype it, or follow a known-good link instead of a pasted one.
Open the page in an incognito or private window to test it free of your cookies and extensions.
Turn off browser extensions, ad blockers and security add-ons especially, then switch them back on one at a time until the one altering the request shows itself.
Flush your DNS cache (ipconfig /flushdns on Windows, the dscacheutil command on macOS) in case a stale record is breaking the request.
Restart the browser, or hop to a different browser or device, to rule out a corrupted session on your current one.
Were you uploading a file? Try a smaller one. A file over the website's size limit can come back as a 400.
If it still fails on every browser and device, the fault sits on the website's side. Wait and retry later, or get in touch with the website owner.

If you run the website

Seeing Request Header Or Cookie Too Large? Raise the header and cookie buffer limits: on nginx, bump large_client_header_buffers and client_header_buffer_size, then reload, and trim oversized cookies at the source so headers stay small.
Validate and sanitize incoming requests so a malformed URL, header, or body returns a clear, deliberate response rather than a generic 400. Log the rejected requests too, so you can see exactly what is being sent.
For any API or form that is 400ing, check the request format: confirm the method, the content type, the required fields, and that the body (JSON, for instance) is well-formed and correctly encoded.
Audit your WAF, CDN, and reverse-proxy rules. An edge layer can reject or rewrite a request and hand back a 400 long before it reaches your origin.
Make sure your upload and request-size limits are sane (body and field size in nginx or PHP, for example), so legitimate uploads do not get bounced as bad requests.

Still not fixed? Next steps

Reproduce the exact request with curl -v so you can see the request line, every header, and the body the server is rejecting. A huge Cookie line or a mangled header tends to stand out immediately.
When only an API or form 400s, check the payload against the endpoint's spec: the method, the Content-Type, the required fields, and whether any JSON body is well-formed and correctly encoded. The rest of the website staying healthy is a strong hint that one specific request is the problem.
Seeing Request Header Or Cookie Too Large on the server? Raise large_client_header_buffers and client_header_buffer_size in nginx, then trim the oversized cookies at the source. Keeping the headers small beats simply widening the buffer to swallow them.
Look at whether a WAF, CDN, or reverse proxy is rewriting or rejecting the request at the edge and handing back a 400 before it ever reaches your origin. Bypass the edge to find out whether the origin itself would have accepted it.

Code & configuration

Copy-paste starting points. Replace example.com and the paths with your own, and test changes on staging before production.

Raise nginx header and cookie buffer limits

# in the http block of nginx.conf, then reload nginx
http {
  client_header_buffer_size   4k;
  large_client_header_buffers 4 16k;
}
# default is 8k; raising it fixes "Request Header Or Cookie Too Large"

Inspect the exact request your client is sending

# -v prints the request line, headers, and the status you get back
curl -v https://example.com/path
# watch for malformed headers, a huge Cookie line, or a bad URL

Flush the local DNS cache so a stale record cannot break the request

# Windows
ipconfig /flushdns
# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

How to prevent 400 Bad Request

A 400 usually clears with a cookie or cache reset, but the picture changes when your own API or app starts rejecting valid requests: now every client hits the wall at the same time. Pulsetic checks your website and endpoints from multiple locations every 30 seconds and alerts you by email, SMS, voice call, Slack, Discord, Telegram, or webhook the moment a URL stops returning what you expect. It gauges availability from the outside, not from your server's internals.

Learn how Pulsetic's uptime monitoring detects this from the outside, across 15+ locations.

Related errors

Browse all error guides

Frequently asked questions

What is the difference between a 400 and a 404 error?

A 400 Bad Request means the server could not even make sense of the request you sent, usually thanks to a malformed URL, a bad header, or an oversized cookie, so it never got far enough to look anything up. A 404 Not Found is different: the request read perfectly, there is simply no resource at that address. Put bluntly, 400 is a broken request and 404 is a missing page.
Why does clearing cookies fix a 400 Bad Request?

Every visit, your cookies ride to the server inside the request headers. If a cookie for that website has ballooned or gone corrupt, the combined header can run past what the server will accept, or just fail to parse, and the answer is a 400. Delete the cookies for that one website and your next visit issues a clean, small set, which usually slips under the limit and lets the request through.
What does 400 Bad Request: Request Header Or Cookie Too Large mean?

It is a specific flavor of 400 that servers like nginx return when the request headers, the cookies most of the time, outgrow the buffer reserved for them (8 KB by default on nginx). As a visitor, clearing the cookies for that website almost always sorts it. As the owner, you can raise large_client_header_buffers in nginx, but you are better off also cutting the cookie bloat so the headers stay small to begin with.
Is a 400 error my fault or the website's fault?

Usually it is something local to you, not the website going down: a stale or oversized cookie, a URL typo, an extension tampering with the request, or a bad DNS cache. That is why clearing cookies and checking the URL come first. Still, the website can be at fault. If an API, form, or endpoint keeps returning 400 to a correct request, the trouble lies in how the server validates or accepts requests, and only the owner can fix that.
Why am I getting a 400 Bad Request from an API?

From an API, a 400 nearly always means the request did not match what the endpoint expects: a malformed or wrongly encoded body (invalid JSON, say), a missing or incorrect content-type header, an absent required field, or a bad query parameter. Inspect the exact request with curl -v or your client's logs, line it up against the API documentation, and fix the malformed part. Resending the same request unchanged will keep returning 400.
Does a 400 error hurt SEO?

A real 400 should not turn up on a normal, well-formed page request, so it rarely touches the public URLs a search engine crawls. If Googlebot kept getting a 400 on pages you want indexed, those pages could not be crawled or indexed, but that signals a real request-handling or edge-rule problem to fix. Pages meant to be public have to return 200, so check that no proxy or WAF rule is turning a clean request into a 400.
Why does the same page work in incognito but show a 400 normally?

An incognito or private window opens with no cookies from your usual session and typically without your extensions running. If the page loads there but 400s in your regular window, the culprit is riding along with your normal profile: almost always a stale or oversized cookie for that website, or an extension rewriting the request. Clear that website's cookies in your main browser, then disable extensions one by one, and you will narrow down which it is.
What is the difference between 400 Bad Request and 422 Unprocessable Content?

The split is about where the request fails. A 400 means the server choked at the HTTP level: broken syntax, bad framing, or malformed headers, so the request never reached your application code at all. A 422 is the opposite, the request parsed fine and the server understood it, but the contents broke a validation or business rule. Picture a perfectly structured JSON body whose email field is not actually a valid email. Reach for 400 when the request is unreadable, and 422 when it reads cleanly but violates a rule.
Besides cookies, what causes Request Header Or Cookie Too Large?

Cookies are only the usual suspect. Anything that overflows the server's header buffer will do it. An SSO or auth layer that bolts on long or numerous headers, a fat Authorization token, a stack of forwarded headers from a chain of proxies, even a bloated Referer: any of these can push the request past the limit, which nginx sets at 8 KB by default. Cut down what the client sends first. Only raise large_client_header_buffers on the server once you have confirmed the headers are genuinely large.
Can a 400 ever be the website's fault rather than mine?

It can. When a properly formed request still comes back 400, the trouble is server-side. Maybe an API or form validates input too aggressively and rejects data that is actually valid. Maybe a buffer is set too small to fit ordinary headers. Or a WAF, CDN, or proxy rule mangles or refuses the request before the application ever sees it. Once clearing cookies, fixing the URL, and trying incognito all come up empty, the fault has shifted to the website's request handling.
Why does a very long URL return a 400 instead of loading?

There are two ways an overlong URL breaks. Some servers answer 414 URI Too Long when the request line passes their limit. Others, or the same server tuned differently, return a plain 400 because they cannot parse the oversized or malformed request line. The fixes: shorten the URL, push long parameters into a POST body, or, if the server is yours, bump large_client_header_buffers in nginx, which also governs the request line.
Should I retry a 400 the way I would retry a 500?

No, and the reason is simple. A 5xx is a server-side failure that might clear on a second try, so backing off and retrying is reasonable. A 400 says the request itself is broken. Send it again unchanged and you get the same 400, every time, by design. Repair the request first, clear the offending cookie, fix the URL, or correct the payload, then send it. Hammering a 400 with blind retries just adds noise and can trip rate limits.

Catch the next outage before your visitors do.

2-minute setup · Cancel any time
Create Free Account

Your Dashboard

No credit card needed