Identify, understand, and fix Cloudflare error codes. Browse 5xx origin errors and 1xxx Cloudflare-layer errors with step-by-step troubleshooting guides.
These errors indicate a problem between Cloudflare and your origin web server. Cloudflare could reach its edge network but could not get a valid response from the origin.
Cloudflare received an empty, unknown, or unexpected response from the origin server.
The origin web server refused or is not accepting connections from Cloudflare.
Cloudflare's TCP connection to the origin server timed out.
Cloudflare cannot reach the origin server because DNS resolution failed or the origin IP is unreachable.
Cloudflare connected to the origin but the origin did not respond with an HTTP response in time.
Cloudflare could not negotiate an SSL/TLS connection with the origin server.
Cloudflare could not validate the SSL certificate on the origin server.
A 530 error is returned alongside a 1016 error when Cloudflare cannot resolve the origin server's DNS.
These are Cloudflare-specific error codes triggered by DNS misconfigurations, firewall rules, rate limits, browser integrity checks, or Worker script failures.
A DNS record points to an IP address that Cloudflare has blocked for policy or security reasons.
Cloudflare's DNS could not resolve the requested hostname.
The DNS record resolves to an IP address that Cloudflare restricts for the current plan or configuration.
A visitor tried to access a Cloudflare IP address directly instead of using a domain name.
The site owner has blocked the visitor's IP address using Cloudflare's firewall tools.
Same as 1006 — the visitor's IP has been blocked by the site owner's Cloudflare firewall.
Same as 1006/1007 — the visitor's IP has been blocked by the site owner's Cloudflare firewall.
The site owner's Browser Integrity Check blocked the visitor based on their User-Agent or browser signature.
Access was denied based on the visitor's activity being flagged as malicious by Cloudflare.
The visitor is sending too many requests and has been rate-limited by Cloudflare.
Cloudflare cannot resolve the origin server's DNS — typically shown alongside HTTP error 530.
The request was blocked by a Cloudflare WAF or firewall rule configured by the site owner.
A Cloudflare Worker script running on this domain threw an unhandled JavaScript exception.
A Cloudflare Worker exceeded the maximum number of subrequests (fetch calls) allowed per invocation.
Cloudflare confirmed the domain exists but it is not configured to serve web traffic on this host.
The visitor's ASN (network provider) has been blocked by the site owner or by Cloudflare.
The visitor's country or geographic region has been blocked by the site owner using Cloudflare's firewall.
The request was blocked because the site owner has enabled hotlink protection and the request came from an unauthorized referrer.
The hostname in the HTTP Host header does not match the hostname sent during the TLS SNI handshake.
A CNAME record points to a domain in a different Cloudflare account that has not authorized the connection.
Cloudflare could not find a Cloudflare zone matching the requested hostname.
A Cloudflare compute resource (Worker or Pages Function) encountered an internal error.
Cloudflare could not find the requested hostname — the domain or zone configuration does not exist.
Cloudflare is temporarily unable to serve the request — usually due to a Cloudflare-side issue or worker limit.
Cloudflare could not reach the origin through the configured Cloudflare Tunnel (formerly Argo Tunnel).
The domain points to a Cloudflare edge IP that is not allowed for the current zone or configuration.
A Cloudflare Transform Rule or rewrite produced an invalid URI path.
A Cloudflare Transform Rule produced a URL that exceeds the maximum allowed length.
A Cloudflare Transform Rule's expression could not be evaluated at runtime.
A Transform Rule attempted to modify a request header that Cloudflare does not allow to be changed.
A Transform Rule set a request header to a value that is not valid per HTTP specifications.
A variation of the email address is already associated with an existing Cloudflare account.
Same as 1006/1007/1008 — the visitor's IP has been blocked by the site owner's Cloudflare firewall.
Too many concurrent connections are queued at the Cloudflare edge waiting for cache or origin responses.
Cloudflare sits between visitors and origin servers as a reverse proxy. When something goes wrong in this chain, Cloudflare returns its own set of error codes that are distinct from standard HTTP errors. These fall into two families:
The problem is between Cloudflare and your origin server. Cloudflare successfully received the visitor's request at its edge, but the origin server either did not respond, responded incorrectly, or refused the connection. These errors require action on the origin server — checking web server processes, firewall rules, SSL certificates, and server resources.
The problem is at the Cloudflare layer itself. These errors are triggered by Cloudflare's security features (firewall rules, rate limiting, bot detection), DNS misconfigurations, or Cloudflare Workers issues. Resolution typically involves adjusting settings in the Cloudflare dashboard.
Knowing which family an error belongs to immediately tells you where to start troubleshooting — the origin server or the Cloudflare dashboard.
Understanding where errors occur requires knowing how a request flows through Cloudflare's infrastructure:
The browser connects to the nearest Cloudflare edge server (anycast routing). Cloudflare handles SSL termination.
Security features run: WAF rules, rate limiting, bot detection, Browser Integrity Check. If any rule blocks the request, a 1xxx error is returned here.
Cloudflare looks up the origin IP from its DNS settings. If DNS resolution fails, errors 523/530/1016 occur.
Cloudflare opens a TCP connection to the origin IP on port 80 or 443. Failure here causes 521 (refused) or 522 (timeout).
If using Full or Full (Strict) SSL mode, Cloudflare negotiates TLS with the origin. Failure causes 525 or 526.
Cloudflare sends the HTTP request and waits for a response. If the origin responds with garbage or times out, errors 520 or 524 occur.
Each error code maps to a specific stage in this pipeline. When you see an error, identify which stage failed and focus your troubleshooting there.
A common source of frustration is not knowing who to contact when something goes wrong. Here is a general guide:
For 5xx errors, always test the origin server directly first (bypassing Cloudflare) to confirm the issue is not on the origin. If the origin responds correctly when accessed directly, the problem may be in the Cloudflare-to-origin connection — check DNS records, firewall rules (Cloudflare IP whitelisting), and SSL configuration.