LocalHost.Co
Home / Articles / http error 406
error-codes

http error 406

Learn about the HTTP Error 406 Not Acceptable. Understand content negotiation, Accept headers, and how developers can fix API format mismatches and server rules.

21 Mar 2026

The http error 406, officially designated as "Not Acceptable," is an HTTP status code that relates directly to the concept of content negotiation. It occurs when a client (like a web browser or an API consumer) requests a resource from the server, but the server is unable to provide a response that matches the specific criteria the client requested. Essentially, the server is saying, "I have the data you want, but I cannot format it in the way you demanded."

The Role of Content Negotiation and Accept Headers

To understand a 406 error, you must understand how a client and server agree on the format of data. When a client sends an HTTP request, it usually includes several Accept headers. These headers act as a wish list, telling the server what formats, languages, and encodings the client is capable of processing.

  • Accept: Specifies the media types (MIME types) the client wants (e.g., application/json, text/html, image/webp).
  • Accept-Charset: Specifies the character sets (e.g., utf-8, iso-8859-1).
  • Accept-Encoding: Specifies the compression algorithms (e.g., gzip, br).
  • Accept-Language: Specifies preferred languages (e.g., en-US, fr-FR).

If an API client sends a request with the header Accept: application/xml, it strictly demands XML data. If the backend server is programmed only to output JSON data (application/json), it cannot fulfill the strict requirement. A properly configured server will recognize this impasse and return an HTTP 406 Not Acceptable error.

Common Causes of an HTTP 406 Error

While standard web browsing rarely results in a 406 error because modern browsers send highly permissive Accept headers (often ending with */* meaning "I'll take anything"), it is a frequent hurdle in API development and specific server configurations.

1. Strict API Development

In RESTful API development, a client might explicitly request a data format (like PDF or XML) that the endpoint does not support. If the routing framework is strictly typed, it will block the response and return a 406 rather than sending data the client's parser will fail to read.

2. Mod_Security rules in Apache

For WordPress and standard CMS users, a 406 error is frequently caused by a Web Application Firewall (WAF) rule, specifically the mod_security module in Apache web servers. If a user submits a form or a URL containing data that looks suspicious (like SQL commands or strange characters), mod_security intercepts the request. Because returning a standard 403 Forbidden might tip off a hacker, the firewall sometimes returns a 406 Not Acceptable to silently block the malicious payload.

3. Missing File Extensions

Some legacy servers rely on the URL's file extension to determine the content type instead of looking at the data itself. If a client requests /api/data.json but the server maps that extension to a MIME type it doesn't know how to handle, it may throw a 406.

How to Fix an HTTP 406 Not Acceptable Error

The resolution depends heavily on whether you are building the client, building the server, or managing a CMS like WordPress.

For API Developers (Client Side)

If you are consuming an API and receive a 406, you must inspect the headers you are sending. Look at your fetch or Axios configuration. Ensure that your Accept header matches what the API documentation says the server can provide. If the server only returns JSON, make sure you send Accept: application/json or use the wildcard Accept: */*.

For Server Developers (Backend Side)

If you are building an API, it is generally considered best practice to be liberal in what you accept. If a client sends an `Accept` header you cannot fulfill, you can either return the 406 error, or (more commonly) ignore the strict requirement and return your default format (like JSON), allowing the client to decide whether to attempt to parse it.

For Website Owners (CMS / WordPress)

If your users are seeing a 406 error when submitting a contact form or accessing a specific URL, it is almost certainly a mod_security rule triggering a false positive. To fix this:

  1. Check your server error logs (e.g., Apache error log). It will show exactly which mod_security rule ID was triggered.
  2. Once you identify the rule ID, you can ask your hosting provider to whitelist that specific rule for your domain.
  3. As a last resort (and not recommended for security reasons), you can disable mod_security for a specific directory via an .htaccess directive: <IfModule mod_security.c> SecFilterEngine Off </IfModule>.

Frequently Asked Questions

Is a 406 error caused by the browser or the server?

It is a client-error (4xx), meaning the client sent parameters the server couldn't meet. However, from a practical standpoint, the server makes the final decision to reject the request based on its own limitations or firewall rules.

Why does turning off mod_security fix a 406 error?

Many hosting providers configure their firewalls to use the 406 status code as a stealthy way to block requests that match known hacker footprints. If an innocent action (like a complex form submission) looks like an attack, the firewall returns a 406. Disabling the firewall stops the blocking.

How is a 406 error different from a 415 Unsupported Media Type?

A 415 error applies to the data the client is *sending* to the server (e.g., uploading a video when the server expects an image). A 406 error applies to the data the client *wants* from the server (e.g., asking for an XML response when the server only has JSON).

Should a REST API always return a 406 if the Accept header doesn't match?

Strictly adhering to HTTP RFCs, yes. However, practically, many modern APIs ignore unsupported `Accept` headers and simply return their default format (like `application/json`) with a 200 OK, rather than forcing the client to fail with a 406.

Reviews

No approved reviews yet.

Name, review, and a 5-star rating.
Showing approved comments for this article and language.

Related Articles

  • err_ssl_protocol_error

    Learn how to fix the err_ssl_protocol_error in your browser. This comprehensive guide covers common causes like date/time issues, cached data, and antivirus settings.

  • err_http2_protocol_error

    Encountering the err_http2_protocol_error? Discover the root causes behind this HTTP/2 connection failure and follow our detailed solutions to restore access.

  • err_quic_protocol_error

    Resolve the err_quic_protocol_error quickly with our step-by-step troubleshooting guide. Fix connection issues by disabling QUIC, resetting flags, or checking extensions.

  • ssl_error_bad_cert_domain

    Fix the ssl_error_bad_cert_domain warning by understanding why a website's SSL certificate domain doesn't match the URL you visited and how to bypass it safely.

  • ssl_error_no_cypher_overlap

    The ssl_error_no_cypher_overlap occurs when the client and server share no common encryption ciphers. Find out how to update protocols and bypass this barrier safely.

  • ssl_error_rx_record_too_long

    Struggling with ssl_error_rx_record_too_long? Learn how to fix this Firefox-specific secure connection error caused by server misconfigurations or port conflicts.

  • whea_uncorrectable_error

    A whea_uncorrectable_error is a serious hardware BSOD in Windows. Read our guide to diagnose CPU, RAM, or voltage issues and restore system stability permanently.

  • dxgi_error_device_removed

    Fix the dxgi_error_device_removed crash. Find out why your system thinks the graphics card was physically removed and how to resolve driver and power supply issues.