Skip to content

How to Fix HTTP 400 Bad Request Error

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about How to Fix HTTP 400 Bad Request Error. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

The Problem

Your API client receives:

HTTP/1.1 400 Bad Request

Or:

400 Bad Request: The server could not understand the request due to invalid syntax.

The server cannot Process the request because the client sent a malformed or invalid request.

Quick Fix

1. Check the request body syntax

A malformed JSON body is the most common cause:

// Wrong — invalid JSON (trailing comma)
fetch('/api/users', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ name: 'John', email: 'john@example.com', })
})

// Right — valid JSON
fetch('/api/users', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ name: 'John', email: 'john@example.com' })
})

2. Validate URL encoding

Special characters in URLs must be percent-encoded:

# Wrong — unencoded spaces and special chars
GET /api/search?q=hello world&filter=name:John

# Right — percent-encoded
GET /api/search?q=hello%20world&filter=name%3AJohn

In JavaScript:

const params = new URLSearchParams({
  q: 'hello world',
  filter: 'name:John'
})
fetch(`/api/search?${params}`)

3. Check request headers

A request header that is too large or malformed triggers 400:

// Wrong — oversized cookie or custom header
fetch('/api/data', {
  headers: { 'X-Custom-Token': 'a'.repeat(100000) } // too large
})

// Right — keep headers under 8KB
fetch('/api/data', {
  headers: { 'X-Custom-Token': 'valid-token' }
})

4. Check Content-Type header

The Content-Type must match the body format:

// Wrong — JSON body but wrong content type
fetch('/api/users', {
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: JSON.stringify({ name: 'John' })
})

// Right
fetch('/api/users', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ name: 'John' })
})

5. Debug with curl

Test the request directly to isolate the issue:

# Test with verbose output
curl -v -X POST https://api.example.com/users \
  -H "Content-Type: application/json" \
  -d '{"name":"John","email":"john@example.com"}'

Prevention

  • Always use JSON validators or linters in development.
  • Use URLSearchParams or encodeURIComponent for query parameters.
  • Keep request headers under 8KB total.
  • Validate Content-Type on both client and server.
  • Log the full request body and headers on 400 errors for debugging.

Common Mistakes with 400 bad request

  1. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  2. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  3. Using return to exit a function early instead of wrapping a pure value in the monad

These mistakes appear frequently in real-world API code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What is the difference between 400 Bad Request and 422 Unprocessable Entity?

400 means the request is syntactically malformed (invalid JSON, bad encoding). 422 means the request is syntactically valid but the server cannot Process it (e.g., validation failed).

Can a proxy or CDN return 400 for a valid request?

Yes. A reverse proxy like Nginx may return 400 if the request violates HTTP protocol (e.g., host header too long, invalid characters). Check the proxy logs.

How do I see the full request body that caused the 400?

Check the server access logs or use a tool like curl -v to inspect the exact request being sent. The server may also include the parsing error in the response body.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro