How did you like the article?
How did you like the article?

HTTP 400: Bad Request explained

If you surf the internet every day, there have probably been times where things haven’t gone exactly as planned. Occasionally your browser will display a status code instead of the desired website content. When the webserver and the client (i.e. the browser) are communicating with one another, they transfer status messages. It’s only when an error occurs that will you see a cryptic error message displayed by your web browser. The HTTP 400 code indicates that something went wrong with the client request. We explain exactly what the error message means and provide tips on how to solve the problem.

What does the 400 Bad Request error mean?

With status codes, the webserver reveals the status of the requests to the client. If the server returns the message 200 (which you don’t normally see when surfing), it means that everything is fine. The request was successful and the desired content was transferred. It’s a different situation when the codes 400 and 500 are shown, since this indicates different types of errors.

All the 1xx codes are informational and all the 2xx codes are successful. Internet users generally see codes from 3xx and onwards: these mean that communication was successful, but that the client has to carry out an additional step. Most of these extra steps have to do with forwarding, which the browser does automatically, and which you only notice in a few cases.

This is quite different when it comes to error messages: while 5xx errors are related to the server, all 4xx codes relate to faulty requests from the client. The most well-known message is the 404 Not Found Error. The cause of the message is usually either an incorrectly written URL or deleted content.

It’s not so easy to answer the question 'what’s gone wrong here?' when you’re presented with a 400 error. It means that the request itself has somehow become defective. The internet protocol HTTP hasn’t been correctly adhered to (at least according to the webserver), which is why the request cannot be processed. The server has interpreted the request as faulty or even harmful. Therefore, it prevents the website from being properly displayed. The reasons for the error report are usually related to the browser used or a user error.

  • Incorrect URL: Just like the 404 error, a bad request is generated if users enter the internet address incorrectly or, for example, insert special characters that aren’t allowed.
  • Incorrect cookies: If the cookies in your browser are outdated or incorrect, this is another reason that an error 400 might occur.
  • Outdated DNS records: Your DNS cache might contain data that links to incorrect IP addresses.
  • Files too large: If you try to upload particularly large files, the server can refuse to accept them. The server classifies this as a ‘Bad Request’.
  • Header too long: When communicating, the client and server use the header to define the request. Some webservers set an upper limit for the length of headers.

It’s not immediately obvious what the communication problem is when you’re presented with the error message 'HTTP 400 Bad Request'. However, if the target webserver uses IIS 7.0, IIS 7.5, or IIS 8.0, more detailed information can be obtained from the status code:

  • 400.1: Invalid Destination Header
  • 400.2: Invalid Depth Header
  • 400.3: Invalid If Header
  • 400.4: Invalid Overwrite Header
  • 400.5: Invalid Translate Header
  • 400.6: Invalid Request Body
  • 400.7: Invalid Content Length
  • 400.8: Invalid Timeout
  • 400.9: Invalid Lock Token

The 400 error doesn’t just come into play when surfing the internet. Other programs, such as e-mail clients can also receive this status code when communicating with a server.

How to fix the 400 Bad Request

When a status code displays an error message, it is sometimes enough to simply refresh the page. Especially if this is the first time the error has occurred on a website that you normally visit without problems, the problem is likely to be temporary. If refreshing the page doesn’t solve the problem, try deleting the browser cache. Maybe your web browser has saved a copy of the error message.

Incorrect URL

The next step for analyzing the problem should be the check the URL: If you entered the address manually into the browser, check to make sure you didn’t make a typo. If you clicked on a link, check the spelling in it, or go directly to the homepage, and find the right page from there.

Incorrect cookies

The problem could also be due to outdated or incorrect cookies. To fix this, simply delete the corresponding record in your browser. When you visit the website again, the software creates a new cookie.


Cookies store information about website visits so the webserver knows you have visited the website in the past and what activities you undertook there. Cookie laws protect the privacy of internet users when using cookies.

Incorrect DNS entry

Another solution you can try is to delete your DNS cache. When you browse the internet, the domain names you enter are translated into IP addresses, which is how they connect to the World Wide Web. To do this, a name resolution must first be carried out with a nameserver. In order to shorten this process, your PC temporarily stores the collected data in the DNS cache. However, the next time the domain is entered into the browser, and the entry has not yet been automatically removed from the cache, the name resolution will take place directly from the cache. If this entry is corrupted or no longer up-to-date, the message 'HTTP Bad Request' appears.

To remove the incorrect entry, you must delete the complete DNS cache. This can be done by running the command prompt on Windows and entering this command to empty the cache:

ipconfig /flushdns

For Mac systems, the command is dependent on which version of OS is being used. All commands are entered via the terminal:

  • OS X 10.4 (Tiger): lookupd -flushcache
  • OS X 10.5 (Leopard): dscacheutil -flushcache
  • OS X 10.6 (Snow Leopard): dscacheutil - flushcache
  • OS X 10.7 (Lion): sudo killall -HUP mDNSResponder
  • OS X 10.8 (Mountain Lion): sudo killall -HUP mDNSResponder
  • OS X 10.9 (Mavericks): dscacheutil -flushcashe; sudo killall -HUP mDNSResponder
  • OS X 10.10 (Yosemite) (10.10.1 – 10.10.3): sudo discoverutil udnsflashcaches
  • OS X 10.10 (Yosemite) (10.10.4+): sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
  • OS X 10.11 (El Capitan): sudo killall -HUP mDNSResponder
  • macOS 10.12 (Sierra): sudo killall -HUP mDNSResponder

Problems with HTTP header fields

As an Internet user: delete cookies and reset the browser

The HTTP 400 error occurs if the HTTP header is too long. In principle, headers don’t have a size limit, however, the target server may have set a limit. The header consists of several fields, in which requests and answers are defined. If both callers have matched the parameters, the requested data will be exchanged. If this doesn’t work, an error message will be displayed. Because this involves communication between the browser and the webserver, and 400 errors are usually caused by problems with the client, the browser is probably responsible for the error. The best way to test whether your default browser could be the cause of the problem: temporarily switch to another browser.

If the page can be accessed using your test browser, switch back to your original web browser. Delete all your cookies (if you haven’t already done so). For security reasons, it is best to delete them all instead of just one. Cookies are transferred in the header and this is how the webserver learns about your previous visit. If the browser ends up having to process too many requests, it could mean that the header will exceed the length limit.

If this solution doesn’t work, you could try reinstalling the browser completely or resetting it to its default settings. Depending on which browser you use, there are different ways to reset it. For Firefox, type in about:support for troubleshooting. Here, you will find plenty of information that will help you detect errors in the software. Even if you contact a support team, it’s still important to have this data. On this page, you will see a button that enables you to 'clean up Firefox'. When you click on it, it will delete extensions and some settings, but will keep your current settings.

In Internet Explorer, you can find the 'Reset' button in the internet options under the 'Advanced' tab or 'Restore defaults' (under IE 6). The Microsoft browser lets you choose whether you want to delete your personal settings when resetting. Since Internet Explorer also counts cache and cookies as these types of settings, it is recommended to delete these too.

With Chrome, you will find the reset functions in the system settings. The browser keeps your personal data, like stored passwords and history, but returns everything else to its original state. Close the browser and restart it for the changes to take effect.

As a web master: set limits

If you are a web master and visitors have been complaining about the 400 error code, then changing the service settings might help. In order to prevent internet users from receiving the error message due to an oversized HTTP header, you can set the limit. However, you should be aware that with higher limits, you increase the risk of defective requests. The Internet Engineering Task Force (IETF) has also addressed 400 Bad Request as a topic in its documentation on HTTP 1.1, and has pointed out the risk of high limits (smuggling attacks):


“A server that receives a request header field, or set of fields, larger than it wishes to process MUST respond with an appropriate 4xx (Client Error) status code. Ignoring such header fields would increase the server's vulnerability to request smuggling attacks (Section 9.5).”

Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing

Would you like to increase the limit anyway? Each web server has its own method. For example, with IIS (ASP.NET), you can change 'maxRequestLength' and 'maxAllowedContentLength'. For Apache, on the other hand, you can set the limit using 'LimitRequestFieldSize'.

Take up contact

Unfortunately, it could be the case that the solutions mentioned above don’t solve the problem. In that case, you should seek help elsewhere. In principle, you have two contact persons, depending on whether the HTTP 400 error is only displayed on a specific site or on many sites. If the error only occurs on a particular site, and the attempts to resolve it are not successful, you can contact the website operator. The other option (if you can’t surf regularly because a 400 Bad Request message is permanently shown), you should contact your internet provider. Even if the problem isn’t actually with the provider, the support team may be able to help you.

In both situations, you have to give your contact person as much information as you possibly can. This includes all the attempts you have undertaken so far to get rid of the tedious problem. On the other hand, you also need to give information about your system: which operating system and browser do you use? Have you installed extensions for this? Do you use a firewall or surf the internet via a proxy? All this information will help the support teams and the web master to solve the problem. This will enable you to surf the internet again without the 400 error being displayed.

Protocols HTTP