400 Bad RequestWhat 400 Bad Request means
HTTP 400 is the server's generic rejection for a request it parsed and found invalid. Unlike 401 or 403, it says nothing about who you are — it says the bytes you sent don't form a request the server is willing to process. The spec definition covers malformed syntax, invalid framing, and deceptive routing, which in practice means a handful of recurring culprits.
The most common triggers: unencoded characters in the URL (spaces, quotes, non-ASCII), oversized or corrupted Cookie headers (many servers cap total header size around 8 KB), a request body that contradicts its Content-Type or Content-Length, invalid characters in header values, and protocol mismatches — the classic being nginx's 'The plain HTTP request was sent to HTTPS port'.
Two properties make 400s easy to debug once you know them: they're deterministic (the identical request fails every time, so blind retries are pointless), and they can be issued by any hop that parses HTTP — the target server, a load balancer in front of it, or the proxy you're routing through. Your job is to find which hop rejected you and what it choked on.