400 Bad Request
The server cannot process the request due to something that is perceived to be a client error.
Usually happens because:
- ☑ Malformed request syntax in headers
- ☑ Request cookie size exceeds server
- ☑ Deceptive or invalid network gateway
🔍 Quick Checklist:
Meaning
The HTTP 400 Bad Request response status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
Root Causes
- Malformed request syntax in headers or body payload data.
- Request cookie size exceeds server limits.
- Deceptive or invalid network gateway requests.
| Cause | Frequency |
|---|---|
| Malformed request syntax in headers | ⭐⭐⭐⭐⭐ |
| Request cookie size exceeds server | ⭐⭐⭐⭐ |
| Deceptive or invalid network gateway | ⭐⭐⭐ |
Common Mistakes
- Returning HTTP 200 OK with error bodies (Soft 200) instead of a clear 400 Bad Request.
- Sending unescaped query string arguments, resulting in server-side parsing crashes.
How to Fix
Framework-Specific Examples
Express middleware validating JSON payloads and returning 400.
app.post('/api/users', (req, res) => {
if (!req.body.name) {
return res.status(400).json({ error: 'Name is required' });
}
});Server Configuration Examples
Setting buffer limits to reject overly large header sizes.
large_client_header_buffers 4 8k;Prevention
- Implement standard payload schema validators (e.g. Zod, Joi, or Hibernate Validators).
- Sanitize and encode all URI query parameters.
Frequently Asked Questions (FAQ)
Q: Can a client-side library trigger 400 errors?
Yes. If an AJAX request fails to serialize its payload (e.g., sending invalid JSON string representations), the receiving server will reject the request as a 400 Bad Request.
Q: What is the difference between 400 Bad Request and 422 Unprocessable Entity?
400 means syntax is corrupt (like invalid JSON). 422 means syntax is correct, but semantic rules fail (like email address already taken).
Q: How do I log 400 errors?
Log them in backend request filters before returning responses. Ensure client payload trace details are captured.
Q: Can invalid cookies cause a 400 Bad Request?
Yes. If browser cookie sizes accumulate beyond proxy buffer limits, Nginx or Apache will reject the request with a 400 Bad Request.