Cloudflare Error 1013: HTTP Hostname and TLS SNI Hostname Mismatch
Error 1013 occurs when the hostname specified in the HTTP request's Host header does not match the Server Name Indication (SNI) hostname sent during the TLS handshake. This mismatch can indicate a misconfigured client, a proxy that is rewriting headers incorrectly, or a deliberate attempt to bypass security controls. Cloudflare requires these values to match to prevent domain fronting and other header manipulation attacks.
Status
Error 1013: HTTP Hostname and TLS SNI Hostname MismatchExample
GET /secure HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/htmlHTTP/1.1 409 Conflict
Server: cloudflare
CF-RAY: 7c7d8e9f0a1b2345-MXP
Content-Type: text/html
<!doctype html>
<html>
<head>
<title>Error 1013</title>
</head>
<body>
<h1>Error 1013: HTTP hostname and TLS SNI hostname mismatch</h1>
<p>The hostname in the HTTP request does not match the TLS SNI hostname. Please check your application configuration.</p>
</body>
</html>How to Troubleshoot
Verify the Host header matches the URL
Ensure your HTTP client or application sends a Host header that matches the domain in the URL being requested.
curl -v https://yourdomain.com/ 2>&1 | grep -i 'host:'
Check intermediate proxies
If using a load balancer or reverse proxy before Cloudflare, verify it is not rewriting the Host header while keeping the original TLS SNI.
Verify DNS records
Ensure the domain resolves correctly and is not accidentally pointing to a different Cloudflare zone.
Check DNS RecordsCommon Causes
Misconfigured reverse proxy or load balancer
highA proxy in front of the request is connecting using one hostname in TLS but sending a different hostname in the HTTP Host header.
Application or script misconfiguration
mediumAn application is manually setting the Host header to a different value than the hostname it connected to via TLS.
Domain fronting attempt
lowCloudflare blocks domain fronting — a technique where the TLS SNI and HTTP Host header intentionally differ to disguise traffic.
Quick Diagnostics
Related Error Codes
SSL Handshake Failed
Cloudflare could not negotiate an SSL/TLS connection with the origin server.
Invalid SSL Certificate
Cloudflare could not validate the SSL certificate on the origin server.
Direct IP Access Not Allowed
A visitor tried to access a Cloudflare IP address directly instead of using a domain name.
Frequently Asked Questions
This reference was compiled from official RFCs, protocol specifications, and hands-on troubleshooting experience. AI tools were used primarily for formatting and organizing the content on the page.