HTTP 500

HTTP 500 Internal Server Error: what it means and how to fix it

A 500 is your application admitting it failed. Here is how to read it, trace it to the exception behind it, and stop it from coming back.

What an HTTP 500 actually means

HTTP 500 Internal Server Error is the generic server-side failure code: the server understood the request but hit an unexpected condition that prevented it from fulfilling it. In practice it is almost always generated by your application or framework itself — an unhandled exception escaped your code, and the framework's last-resort handler converted it into a 500 response. That makes it different from 502 and 504, which are produced by a proxy or load balancer in front of your app.

Because 500 is intentionally vague — it tells the client nothing about what went wrong, to avoid leaking internals — the real story is always on the server side: in a stack trace, an application log line, or an error-tracking event. Fixing a 500 is therefore an exercise in finding that exception, not in tweaking the HTTP layer.

Common root causes of a 500 error

An unhandled exception in your code

The most common cause: a null reference, a type error, a failed assertion, or any exception your code throws without a handler. The framework catches it at the top level and returns a 500. The stack trace in your logs or error tracker points to the exact line.

A failing downstream dependency

Your database refuses connections, a third-party API times out, or a cache is unreachable — and the resulting exception bubbles up unhandled. The 500 is in your app, but the root cause lives one hop away. The error message usually names the dependency.

Bad configuration or environment

A missing environment variable, a wrong secret after rotation, a malformed config file, or a dependency missing from the deployed artifact. These 500s typically start right after a deploy or an infrastructure change and affect every request that touches the broken path.

Resource and permission failures

A full disk that breaks temp-file writes, a file the process can't read after a permissions change, or an exhausted connection pool. These produce 500s that look random per-request but correlate clearly with a host-level metric.

How to investigate and fix a 500 error

A 500 always has a server-side exception behind it. The workflow is to find that exception, understand what triggered it, and decide whether the fix is code, config, or a dependency.

  1. 1

    Capture the exact failing request

    Note the URL, method, payload shape, and timestamp. Check whether every request fails or only specific inputs — a 500 on one endpoint with one payload is a code bug; 500s everywhere point to config or a dependency.

  2. 2

    Find the stack trace

    Search your application logs or error tracker around the timestamp. The unhandled exception with its full stack trace is the ground truth — it names the file, function, and line that threw. Do not start changing code before you have it.

  3. 3

    Correlate with recent deploys and config changes

    If the 500s started at a specific moment, check what shipped then: a deploy, a config push, a secret rotation, a dependency upgrade. A regression introduced by a release is the most common pattern and the fastest to roll back.

  4. 4

    Check downstream dependencies

    If the exception mentions a database, cache, queue, or external API, verify that dependency directly: is it up, reachable from this host, and within its connection limits? Fix the dependency, then decide whether your code should have degraded gracefully instead of throwing.

  5. 5

    Check host resources and permissions

    Look at disk space, memory, open file descriptors, and connection pools on the host serving the errors. Resource exhaustion produces intermittent 500s that disappear and return — the kind that never reproduce locally.

  6. 6

    Fix, add handling, and verify

    Ship the fix, then watch the error rate for that endpoint return to zero. If the trigger was a dependency, add explicit handling so the next outage returns a controlled 503 with a clear message instead of an opaque 500.

How to prevent 500 errors

  • Run error tracking on every service so each unhandled exception arrives with a stack trace and release tag the moment it happens.
  • Alert on 5xx rate per endpoint, not just total volume, so a regression in one route doesn't hide in the average.
  • Handle dependency failures explicitly — timeouts, retries with backoff, and a controlled 503 fallback instead of letting exceptions escape.
  • Validate configuration and required environment variables at startup so a bad deploy fails fast instead of failing per request.
  • Tag errors by release and deploy gradually, so a new 500 is traceable to the exact change that introduced it.

How AllStak helps with 500 errors

AllStak's error tracking captures the exceptions behind your 500s in real time — full stack trace, request context, breadcrumbs, and the release that shipped the code. Identical errors are grouped into one issue with an occurrence count, so a spike of 500s becomes a single actionable item pointing at the exact line that threw.

Because logs, uptime checks, and infrastructure metrics live in the same platform, you can put the exception, the disk-full warning, and the deploy marker on one timeline — and confirm in minutes whether the 500 came from code, config, or a dependency. Uptime monitoring also verifies from outside that the fix actually restored the endpoint.

HTTP 500 — frequently asked questions

What is the difference between a 500 and a 503?

A 500 means the server tried to process the request and failed unexpectedly — usually an unhandled exception. A 503 means the server deliberately reported it is temporarily unavailable: overloaded, in maintenance, or with no healthy backends. 500 says "I broke"; 503 says "I can't right now, try later".

Does a 500 error mean my server is down?

No — the opposite. A 500 proves the server is up and responding; it just failed while handling that request. If the server were down, the proxy in front of it would return a 502 or 504, or the connection would fail entirely.

Who generates the 500 — my app or nginx?

Almost always your application or its framework. A reverse proxy like nginx passes the app's 500 through unchanged. nginx itself generates 502/504 when the app misbehaves at the connection level, and only rarely its own 500 for internal proxy errors.

Should clients retry a 500?

Only carefully. Some 500s are transient (a dependency blip) and a retry succeeds; others are deterministic bugs where retrying just repeats the failure — and retrying non-idempotent requests like payments can cause duplicates. Retry with backoff, a low cap, and only for idempotent operations.

Explore more

Capabilities

By framework

Compare

See the exception behind your next 500

Drop in an AllStak SDK and every unhandled exception arrives with the stack trace, request context, and release that explain it — before your users open a ticket.

Start free View pricing