Cloudflare Errors Reference
Identify, understand, and fix Cloudflare error codes. Browse 5xx origin errors and 1xxx Cloudflare-layer errors with step-by-step troubleshooting guides.
5xx Origin Errors
These errors indicate a problem between Cloudflare and your origin web server. Cloudflare could reach its edge network but could not get a valid response from the origin.
Web Server Returns an Unknown Error
Cloudflare received an empty, unknown, or unexpected response from the origin server.
Web Server Is Down
The origin web server refused or is not accepting connections from Cloudflare.
Connection Timed Out
Cloudflare's TCP connection to the origin server timed out.
Origin Is Unreachable
Cloudflare cannot reach the origin server because DNS resolution failed or the origin IP is unreachable.
A Timeout Occurred
Cloudflare connected to the origin but the origin did not respond with an HTTP response in time.
SSL Handshake Failed
Cloudflare could not negotiate an SSL/TLS connection with the origin server.
Invalid SSL Certificate
Cloudflare could not validate the SSL certificate on the origin server.
Origin DNS Error
A 530 error is returned alongside a 1016 error when Cloudflare cannot resolve the origin server's DNS.
1xxx Cloudflare Errors
These are Cloudflare-specific error codes triggered by DNS misconfigurations, firewall rules, rate limits, browser integrity checks, or Worker script failures.
DNS Points to Prohibited IP
A DNS record points to an IP address that Cloudflare has blocked for policy or security reasons.
DNS Resolution Error
Cloudflare's DNS could not resolve the requested hostname.
DNS Points to Prohibited IP (Restricted)
The DNS record resolves to an IP address that Cloudflare restricts for the current plan or configuration.
Direct IP Access Not Allowed
A visitor tried to access a Cloudflare IP address directly instead of using a domain name.
Access Denied: Your IP Has Been Banned
The site owner has blocked the visitor's IP address using Cloudflare's firewall tools.
Access Denied: Your IP Has Been Banned
Same as 1006 — the visitor's IP has been blocked by the site owner's Cloudflare firewall.
Access Denied: Your IP Has Been Banned
Same as 1006/1007 — the visitor's IP has been blocked by the site owner's Cloudflare firewall.
The Owner of This Website Has Banned Your Access Based on Your Browser's Signature
The site owner's Browser Integrity Check blocked the visitor based on their User-Agent or browser signature.
Access Denied
Access was denied based on the visitor's activity being flagged as malicious by Cloudflare.
You Are Being Rate Limited
The visitor is sending too many requests and has been rate-limited by Cloudflare.
Origin DNS Error
Cloudflare cannot resolve the origin server's DNS — typically shown alongside HTTP error 530.
Access Denied by Firewall Rule
The request was blocked by a Cloudflare WAF or firewall rule configured by the site owner.
Worker Threw an Exception
A Cloudflare Worker script running on this domain threw an unhandled JavaScript exception.
Worker Subrequest Limit Reached
A Cloudflare Worker exceeded the maximum number of subrequests (fetch calls) allowed per invocation.
Host Not Configured to Serve Web Traffic
Cloudflare confirmed the domain exists but it is not configured to serve web traffic on this host.
Access Denied: Autonomous System Number (ASN) Banned
The visitor's ASN (network provider) has been blocked by the site owner or by Cloudflare.
Access Denied: Country or Region Banned
The visitor's country or geographic region has been blocked by the site owner using Cloudflare's firewall.
Access Denied: Hotlinking Denied
The request was blocked because the site owner has enabled hotlink protection and the request came from an unauthorized referrer.
HTTP Hostname and TLS SNI Hostname Mismatch
The hostname in the HTTP Host header does not match the hostname sent during the TLS SNI handshake.
CNAME Cross-User Banned
A CNAME record points to a domain in a different Cloudflare account that has not authorized the connection.
Could Not Find Host
Cloudflare could not find a Cloudflare zone matching the requested hostname.
Compute Server Error
A Cloudflare compute resource (Worker or Pages Function) encountered an internal error.
Could Not Find Host
Cloudflare could not find the requested hostname — the domain or zone configuration does not exist.
Please Check Back Later
Cloudflare is temporarily unable to serve the request — usually due to a Cloudflare-side issue or worker limit.
Argo Tunnel Error
Cloudflare could not reach the origin through the configured Cloudflare Tunnel (formerly Argo Tunnel).
Edge IP Restricted
The domain points to a Cloudflare edge IP that is not allowed for the current zone or configuration.
Invalid Request Rewrite: Invalid URI Path
A Cloudflare Transform Rule or rewrite produced an invalid URI path.
Invalid Request Rewrite: Maximum Length Exceeded
A Cloudflare Transform Rule produced a URL that exceeds the maximum allowed length.
Invalid Rewrite Rule: Failed to Evaluate Expression
A Cloudflare Transform Rule's expression could not be evaluated at runtime.
Invalid Request Rewrite: Header Modification Not Allowed
A Transform Rule attempted to modify a request header that Cloudflare does not allow to be changed.
Invalid Request Rewrite: Invalid Header Value
A Transform Rule set a request header to a value that is not valid per HTTP specifications.
Email Address Already in Use
A variation of the email address is already associated with an existing Cloudflare account.
Access Denied: Your IP Has Been Banned
Same as 1006/1007/1008 — the visitor's IP has been blocked by the site owner's Cloudflare firewall.
Cache Connection Limit
Too many concurrent connections are queued at the Cloudflare edge waiting for cache or origin responses.
Understanding Cloudflare Error Codes
Cloudflare sits between visitors and origin servers as a reverse proxy. When something goes wrong in this chain, Cloudflare returns its own set of error codes that are distinct from standard HTTP errors. These fall into two families:
5xx Origin Errors (520–530)
The problem is between Cloudflare and your origin server. Cloudflare successfully received the visitor's request at its edge, but the origin server either did not respond, responded incorrectly, or refused the connection. These errors require action on the origin server — checking web server processes, firewall rules, SSL certificates, and server resources.
1xxx Cloudflare Errors (1000–1102)
The problem is at the Cloudflare layer itself. These errors are triggered by Cloudflare's security features (firewall rules, rate limiting, bot detection), DNS misconfigurations, or Cloudflare Workers issues. Resolution typically involves adjusting settings in the Cloudflare dashboard.
Knowing which family an error belongs to immediately tells you where to start troubleshooting — the origin server or the Cloudflare dashboard.
How Cloudflare Processes Requests
Understanding where errors occur requires knowing how a request flows through Cloudflare's infrastructure:
The browser connects to the nearest Cloudflare edge server (anycast routing). Cloudflare handles SSL termination.
Security features run: WAF rules, rate limiting, bot detection, Browser Integrity Check. If any rule blocks the request, a 1xxx error is returned here.
Cloudflare looks up the origin IP from its DNS settings. If DNS resolution fails, errors 523/530/1016 occur.
Cloudflare opens a TCP connection to the origin IP on port 80 or 443. Failure here causes 521 (refused) or 522 (timeout).
If using Full or Full (Strict) SSL mode, Cloudflare negotiates TLS with the origin. Failure causes 525 or 526.
Cloudflare sends the HTTP request and waits for a response. If the origin responds with garbage or times out, errors 520 or 524 occur.
Each error code maps to a specific stage in this pipeline. When you see an error, identify which stage failed and focus your troubleshooting there. A port scan can quickly confirm whether ports 80/443 are open on the origin, and the DNS Propagation Checker verifies that DNS changes have reached all regions.
When to Contact Cloudflare vs Your Hosting Provider
A common source of frustration is not knowing who to contact when something goes wrong. Here is a general guide:
Contact Your Hosting Provider
- 520, 521, 522, 524 — The origin server is crashing, down, overloaded, or unreachable. These are server-side issues.
- 525, 526 — SSL certificate issues on the origin need to be fixed by whoever manages the server.
- 523 — If the origin IP is correct but unreachable, the hosting provider may have networking issues.
Check Cloudflare Dashboard
- 1000, 1001, 1016, 530 — DNS records in Cloudflare are misconfigured. Fix them in the DNS settings.
- 1006–1008, 1010, 1012, 1020 — Firewall, WAF, or bot detection rules are blocking traffic. Review Security settings.
- 1101, 1102 — Cloudflare Worker code errors. Debug using wrangler tail.
For 5xx errors, always test the origin server directly first (bypassing Cloudflare) to confirm the issue is not on the origin. If the origin responds correctly when accessed directly, the problem may be in the Cloudflare-to-origin connection — check DNS records, firewall rules (Cloudflare IP whitelisting), and SSL configuration.
Troubleshoot Cloudflare Errors with Free Tools
Diagnose origin server, DNS, and SSL issues behind Cloudflare errors with these free diagnostic tools.
DNS Inspector
Verify DNS records point to the correct origin server IP.
Port Scanner
Check if origin server ports 80 and 443 are open and reachable.
DNS Propagation Checker
Verify DNS changes have propagated globally after updates.
HTTP Header Checker
Inspect Cloudflare response headers and CF-RAY identifiers.
Security Headers Checker
Audit security header configuration on the origin and edge.
Related Error Code References
Cloudflare errors often trace back to HTTP status codes from the origin, SSL/TLS certificate failures, or server-side misconfigurations visible in logs.