Error 1013 occurs when the hostname specified in the HTTP request's Host header does not match the Server Name Indication (SNI) hostname sent during the TLS handshake. This mismatch can indicate a misconfigured client, a proxy that is rewriting headers incorrectly, or a deliberate attempt to bypass security controls. Cloudflare requires these values to match to prevent domain fronting and other header manipulation attacks.
A proxy in front of the request is connecting using one hostname in TLS but sending a different hostname in the HTTP Host header.
An application is manually setting the Host header to a different value than the hostname it connected to via TLS.
Cloudflare blocks domain fronting — a technique where the TLS SNI and HTTP Host header intentionally differ to disguise traffic.
Ensure your HTTP client or application sends a Host header that matches the domain in the URL being requested.
curl -v https://yourdomain.com/ 2>&1 | grep -i 'host:'
If using a load balancer or reverse proxy before Cloudflare, verify it is not rewriting the Host header while keeping the original TLS SNI.
Ensure the domain resolves correctly and is not accidentally pointing to a different Cloudflare zone.
Check DNS RecordsCloudflare could not negotiate an SSL/TLS connection with the origin server.
Cloudflare could not validate the SSL certificate on the origin server.
A visitor tried to access a Cloudflare IP address directly instead of using a domain name.