Bad Request Error 400 means the server rejected the request due to client-side issues like malformed URLs, cookies, or headers.
Bad Request Error 400 Fix — What It Means And What To Do
Quick check: right now, Bad Request Error 400 signals a client error: common reasons include malformed request syntax, invalid request framing, or deceptive routing. These are the exact classes named today in the HTTP standard and MDN’s reference pages.
- Check the URL — Look for stray characters, double % signs, or illegal symbols.
- Refresh the page — A one-off glitch can trigger a bad request.
- Bypass cache — Use Ctrl/Cmd+Shift+R.
- Clear site cookies only — Remove the site’s cookies to fix corrupt or bloated cookies without wiping everything.
- Trim extensions — Disable extensions that rewrite headers.
- Try another browser — Rule out a browser-specific quirk.
Deeper fix: if you manage a site or API, inspect server logs for malformed requests, oversized headers, or invalid JSON; adjust limits only after reproducing the issue.
400 Bad Request Error — Causes By Browser And App
The same status appears in different skins across Chrome, Edge, Firefox, Safari, mobile apps, and CLI tools. The core cause stays the same: the server rejects the request as bad. Still, the trigger can vary by client and context. Here’s a compact map you can act on quickly today.
| Symptom | Likely Cause | Fast Fix |
|---|---|---|
| “400 Bad Request” after login | Stale or oversized cookies | Clear site cookies, sign in again |
| 400 only on one URL | Illegal characters or broken encoding | Fix the URL, re-encode strings |
| Blank page in some browsers | Client shows a generic 400 shell | Use another browser to verify |
| Upload triggers 400 | File too large or wrong content type | Reduce size, match content type |
| API returns 400 with JSON | Malformed JSON or missing fields | Validate JSON, send required keys |
| Only your account fails | Account-scoped cookie corruption | Clear cookies for the site only |
| 400 behind a proxy/CDN | Headers exceed allowed size | Reduce cookies; raise server limits |
Root Causes You Can Confirm Quickly
Malformed Or Illegal URL
Extra % symbols, braces, or unencoded spaces can break a request and trigger a 400. Re-encode the string, remove illegal characters, and retry. Many 400s vanish once the URL is corrected.
Corrupt Or Oversized Cookies
Web apps often store session state in cookies. As these grow or corrupt, servers may reject the request with a 400. Clearing cookies for the single site resets the state without erasing data for other sites.
Request Headers Too Large
Cookies live in request headers. When the combined header size exceeds limits on a proxy, CDN, or origin, the server returns a 400. On NGINX and some CDNs, raising header buffers helps, but trimming cookies is the safer first move.
Invalid JSON Or Payload
APIs often reject malformed JSON, wrong content types, or missing required fields. A 400 here means the shape of the request doesn’t match what the server expects.
DNS And Cache Noise
Old DNS entries or stale cache can cause a mismatch that ends in a bad request. Flushing DNS and forcing a fresh fetch often clears it.
Step-By-Step Fixes That Work
Run these from top to bottom. Each step is safe, fast, and aims to keep your logins and settings intact unless stated.
- Check the address bar — Remove stray characters, decode odd sequences, and retry again.
- Force a fresh load — Use Ctrl/Cmd+Shift+R to bypass cache for a single visit.
- Clear cookies for this site only — In Chrome: Settings → Privacy and security → Site settings → View permissions and data stored across sites → search the domain → Clear data. In other browsers, use the site-data controls to wipe only the problem site.
- Disable extensions — Turn off request-modifying add-ons on this browser profile, then reload and test now.
- Retry the action in a second browser — If the page loads in another browser, the issue likely sits in cache, cookies, or extensions in the first one.
- Trim the request — For file uploads, reduce size and match the content type; for APIs, validate JSON and required fields before sending.
- Restart the router and flush DNS — Clear local DNS cache and renew the link to the site.
Bad Request Error 400 — Admin And Developer Playbook
When users report a 400, collect the URL, request ID if present, and timestamp. Reproduce the error, then walk through these targeted checks.
- Inspect server logs — Look for “request header too large,” parse errors, or JSON errors at the time of the report.
- Measure header size — Sum all headers, including cookies, and compare with reverse proxy and origin limits.
- Right-size limits carefully — On NGINX, raise
client_header_buffer_sizeandlarge_client_header_buffersonly if trimming cookies is not viable. - Validate payloads — Enforce content type, schema, and field presence; return actionable error bodies.
- Guard routing — Block deceptive routes and normalize paths to avoid bad framing.
Header And Cookie Limits: What To Expect
Reverse proxies and servers set conservative header limits. If cookies balloon, even a normal page view can breach those caps and trigger a 400. Track cookie growth and expire old keys to stay within safe bounds.
Safe Server Tweaks
- Raise header buffers only as needed — Bump limits in small steps and watch memory impact under load.
- Expire legacy cookies — Retire unused cookie names; keep values compact.
- Return clear error bodies — Include a machine-readable code (“cookie_too_large”, “json_invalid”) so clients can self-heal.
Proof-Backed Fix Paths
Standards define 400 as a client error; browser and host docs back the cookie, URL, and header fixes shown here.
Browser Steps: Clean And Targeted
- Chrome — Delete cookies for a single site from Settings → Privacy and security → Third-party cookies → See all site data and permissions.
- Firefox — Remove data per site from Settings → Privacy & Security → Cookies and Site Data → Manage Data.
- Edge — Clear per-site cookies via Settings → Cookies and site permissions → Manage and delete cookies and site data → See all cookies and site data.
- Safari — Open Preferences → Privacy → Manage Website Data → remove the domain.
Developer Steps: Log, Measure, Fix
- Log request IDs — Tie errors to traces so you can follow the path through proxies.
- Expose clear 400 bodies — Give clients a hint: “header_too_large,” “invalid_json,” or “bad_path.”
- Enforce schemas — Validate payloads server-side; reject early with helpful messages.
- Control cookie size — Store less in cookies; shift bulky state to server storage.
One-Page Checklist To Clear A 400 Fast
- Fix the URL — Remove illegal characters, re-encode spaces, and try again.
- Reload without cache — Use a hard refresh so the page comes from the network.
- Purge site cookies — Clear only the site that fails to keep other logins intact.
- Toggle extensions — Turn off request-modifying add-ons, then add them back one by one.
- Retest in a second browser — Confirm whether it’s a client profile issue.
- Reduce payload — Shrink uploads; send correct content types and valid JSON.
- Flush DNS — Clear local DNS and retry the same URL.
- Ask the site owner — If many users see it at once, the fix likely sits server-side.
Bottom line: these steps solve the vast majority of cases. If the page still fails, contact the site or your admin now so they can trace the request through proxies and origins.
References You Can Trust
Learn the formal definition in the IETF’s HTTP Semantics and the practical notes on MDN. For browser steps, see Chrome’s cookie controls. For server cases, read Microsoft’s IIS guidance and NGINX buffer tips. For common patterns and user-side fixes, see host and ops guides.
- IETF RFC 9110: HTTP Semantics
- MDN: 400 Bad Request
- Google Chrome Help: Delete And Manage Cookies
- Microsoft Docs: Troubleshoot HTTP 400 In IIS
- Kinsta: Fix 400 Bad Request
- Dev.to: NGINX Header/Cookie Too Large
If you hit Bad Request Error 400 on a trusted site after all checks, share the exact time and request path with support; that speeds up tracing on their end.