Cloudflare Error Codes Explained

Cloudflare error codes all look similar — a four-digit number on a gray page that blocks you from the site you wanted. But each code tells a different story, and each has a different fix. Guessing which one you're hitting is the fastest way to waste hours on the wrong solution.

This guide breaks down the five most common Cloudflare error codes you'll encounter: 1003, 1006, 1010, 1015, and 1020. For each one, you'll get a plain-English explanation of what triggered it and the exact steps to resolve it.

Quick Reference: Cloudflare Error Codes at a Glance

Error	Meaning	Who Fixes It	Typical Cause
1003	Direct IP access not allowed	You	Hitting an IP address instead of the domain
1006	Banned from this site	You or site owner	Your IP is on the site's blocklist
1010	Browser signature denied	You	Automated browser or bad fingerprint detected
1015	Rate limited	You	Too many requests from your IP
1020	Access denied by firewall rule	You or site owner	Triggered a WAF rule (ASN, country, behavior)

The key distinction is whether the fix is on your side or the site owner's. Errors 1003, 1010, 1015, and some 1020s are within your control. Hard 1006 bans and site-owner WAF rules require contacting the website.

Cloudflare Error 1003: "Direct IP Access Not Allowed"

Error 1003 appears when you try to reach a Cloudflare-protected site by its IP address instead of its domain name.

Example message: "Access denied. Please use your domain name instead of the IP address."

Why You're Seeing It

Cloudflare sits on the domain layer. When a request comes in with a Host header pointing to Cloudflare's IPs (without a matching domain), Cloudflare has no way to route it and returns 1003.

Common scenarios:

• You're using curl https://1.2.3.4 instead of curl https://example.com
• Your DNS is misconfigured and resolving to the wrong record
• A scraper or tool is hardcoding IP addresses instead of domains
• Your hosts file has a stale entry pointing the domain to an old IP

How to Fix Error 1003

1. Use the domain name. Always request the full URL with domain, not the IP.
2. Flush your DNS cache. On Windows: ipconfig /flushdns. On macOS: sudo dscacheutil -flushcache. On Linux: sudo systemd-resolve --flush-caches.
3. Check your /etc/hosts file. Remove any hardcoded IP entries for the domain.
4. For curl/scripts: Always set the Host header explicitly: curl -H "Host: example.com" https://example.com/.
5. For proxies: Make sure your proxy config isn't stripping the Host header on HTTPS traffic.

If you're the site owner and seeing 1003 for legitimate users, it's usually a stale A record. Update your DNS to point to the Cloudflare-assigned IPs.

Cloudflare Error 1006: "You Have Been Banned"

Error 1006 means the site owner has explicitly banned your IP. Not rate-limited, not challenged — banned.

Example message: "Access denied. Your IP address has been blocked."

Why You're Seeing It

Unlike 1015 (automatic rate limit) or 1020 (automated firewall rule), 1006 is typically the result of an explicit block — either from the site owner directly or from Cloudflare's Super Bot Fight Mode with aggressive settings.

Common causes:

• Previous scraping from your IP triggered manual blacklisting
• Your IP is on a third-party abuse list Cloudflare ingests
• The site banned your entire IP range or ASN
• You're on a shared VPN where another user abused the target site

How to Fix Error 1006

1. Switch networks. If it's your home IP, try mobile data or a different network — confirms the block is IP-specific.
2. Rotate to a clean IP. Use residential proxies from a pool of clean IPs. Residential IPs with unblemished reputation bypass most 1006 bans because Cloudflare doesn't blanket-block major ISPs.
3. Use mobile proxies for hardened targets. Mobile 4G/5G proxies share IPs with thousands of real mobile users — nearly impossible for a site to ban without breaking the site for real customers.
4. Contact the site owner. If you're a legitimate user blocked in error, most sites have a "Report a problem" link on the error page. Include your Cloudflare ray ID (shown on the error page) — the site admin can look it up and unblock you.
5. Check your IP reputation. Use a tool like SpyderProxy Proxy Checker to see if your IP is listed on known blocklists. If it is, cycling to a clean IP is the only short-term fix.

If multiple IPs keep getting 1006'd from the same scraper, the issue is almost certainly your behavior, not the IPs. Cloudflare correlates behavioral signals across IPs — slow down, randomize patterns, rotate user agents, and retry.

Cloudflare Error 1010: "Access Denied — Browser Signature Banned"

Error 1010 fires when Cloudflare's browser integrity check detects automated or modified browser signatures.

Example message: "Access denied. The owner of this website has banned your access based on your browser's signature."

Why You're Seeing It

Cloudflare inspects browser fingerprints — user agent string, TLS handshake (JA3/JA4), HTTP/2 frame order, headers, and JavaScript signatures. If any of these look fake or match a known bot library, you get 1010.

Common triggers:

• Using requests, axios, httpx, or urllib without TLS fingerprint matching
• Running Selenium or Puppeteer without stealth patches
• Using a custom user agent that doesn't match the TLS/HTTP signature of that browser
• Running a modified browser (Brave's Tor mode, hardened Firefox, etc.)
• Unsupported or very old browser versions

How to Fix Error 1010

1. Use a mainstream browser. If you're a regular user, try Chrome, Firefox, or Safari with default settings — no modifications, extensions disabled.
2. For scrapers — use curl_cffi. It wraps libcurl with Chrome's real TLS fingerprint:

   from curl_cffi import requests
   response = requests.get(url, impersonate="chrome124", proxies=proxies)

3. Use stealth-patched Playwright. Install playwright-stealth and apply it to every page. This removes the navigator.webdriver flag and normalizes canvas/WebGL fingerprints.
4. Match header order. Browsers send headers in a specific order. Python requests does not match this — use curl_cffi or httpx with custom TLS config.
5. Update Chrome or Firefox. If you're on a browser version 6+ months old, Cloudflare may flag it as suspicious. Update to the latest version.
6. Disable invasive extensions. Ad blockers and privacy extensions can alter headers enough to trigger 1010.

For sustained scraping against 1010 errors, combine curl_cffi with residential proxies — solves both the fingerprint and IP reputation vectors at once.

Cloudflare Error 1015: "You Are Being Rate Limited"

Error 1015 means your IP is sending too many requests too fast. It's not a ban — it's a cap.

Example message: "You are being rate limited. Error code 1015."

Why You're Seeing It

Site owners configure rate limits in Cloudflare — typical settings are 30-100 requests per minute per IP. Exceed that threshold and you get 1015 for the duration of the cooldown window (usually 1-10 minutes).

Common scenarios:

• Scraping without pacing — hitting the site at hundreds of requests per minute
• A bot or scheduled job stuck in a retry loop
• Shared IP (corporate network, VPN) where someone else is hammering the site
• Aggressive browser extensions making background requests

How to Fix Error 1015

1. Wait it out. Rate limits are temporary. Usually cleared within 1-10 minutes of stopping the requests.
2. Slow down. For scrapers, add random delays between 2-8 seconds per request. For heavier protection, 10-20 seconds.
3. Rotate IPs. Cloudflare rate limits are per-IP. Rotating through residential proxies spreads your requests across hundreds of IPs, each well below the per-IP threshold.
4. Use sticky sessions intelligently. For logged-in flows, stay on one IP for the session and pace your requests. For stateless scraping, rotate on each request.
5. Respect Retry-After headers. Cloudflare often returns a Retry-After header with 1015 responses. Parse it and wait that long before retrying.
6. Implement exponential backoff. On a 1015, wait 30s → 60s → 120s before retries. Never retry immediately — you'll just reset the cooldown.

At large scale, a proxy pool with 100+ IPs paired with 2-8 second pacing per IP gives you effective throughput of thousands of requests per minute without triggering 1015.

Cloudflare Error 1020: "Access Denied"

Error 1020 is the most common Cloudflare block you'll hit. It means you triggered a firewall (WAF) rule — could be from the site owner, could be from Cloudflare's default protections.

Example message: "Access denied. This website is using a security service to protect itself from online attacks."

Why You're Seeing It

Error 1020 covers a huge range of rule-based blocks:

• Country or region blocking. Site blocks all traffic from specific countries.
• ASN blocking. Site blocks all traffic from datacenter ASNs (AWS, DigitalOcean, Hetzner, etc.).
• User agent blocking. Known bot user agents or empty user agents.
• URL pattern matching. Requesting /.env, /admin, or other sensitive paths.
• Pattern-based behavior flags. Too many 404s, too many POST requests, suspicious referrers.
• TOR exit node blocking. Common blanket rule for all TOR IPs.

How to Fix Error 1020

1. Identify the trigger. Note the Ray ID shown on the error page. Site admins can look this up and tell you which rule fired. For scrapers, test by changing one thing at a time — IP, user agent, headers, target URL.
2. Switch to residential or mobile proxies. If the rule is datacenter-ASN blocking (the most common 1020 cause), switching to residential proxies resolves it immediately.
3. Change your IP country. If the site is geo-blocking, choose a proxy in a permitted country. Most residential proxy providers offer country-level targeting.
4. Normalize your user agent. Send a real Chrome or Firefox user agent, not python-requests/2.28 or curl/7.68.
5. Use a real browser session. For highly-protected sites, automated HTTP clients won't pass. Use stealth-patched Playwright or FlareSolverr.
6. Contact the site owner. If you're a legitimate user, the Ray ID on the error page plus a polite message to the site's support typically gets you unblocked.

Less Common but Related Cloudflare Codes

Beyond the top five, you may also encounter:

Error	Meaning	Fix
1001	DNS resolution error	Check domain DNS, clear cache
1016	Origin DNS error	Site owner — check DNS pointing to origin
1018	Can't resolve domain	Site misconfiguration
1019	Compute server error	Usually transient — retry
1033	Argo Tunnel error	Site owner — restart tunnel
520	Web server returned unknown error	Site owner — origin issue
521	Web server is down	Site owner — origin down
522	Connection timed out	Site owner — origin slow/firewalled
524	Origin took too long	Site owner — long-running request

The 520-series errors are almost always the site owner's problem, not yours — they indicate Cloudflare can reach the visitor but not the origin server.

How to Prevent Cloudflare Errors in the First Place

Avoiding these errors is cheaper than fixing them. A few habits that eliminate most Cloudflare blocks:

Use Clean Proxies from the Start

Start with rotating residential proxies or mobile proxies — not free proxies, not datacenter IPs. Clean IP reputation is the foundation everything else rests on.

Match Real Browser Fingerprints

Use curl_cffi for HTTP clients or stealth-patched Playwright for browser automation. Default Python libraries have TLS/HTTP signatures that are instantly flagged.

Pace Your Requests

Random delays of 2-8 seconds between requests per IP eliminates almost all 1015 errors. Longer pauses (30-60 seconds) every few dozen requests make the pattern look human.

Rotate Smart, Not Often

For stateless pages, rotate on each request. For logged-in sessions or shopping carts, stay on one sticky IP — changing IPs mid-session is itself a block trigger.

Cache cf_clearance Cookies

Once you pass a Cloudflare challenge, the response sets a cf_clearance cookie valid for 30-60 minutes. Reuse it on subsequent requests from the same IP and you skip the challenge entirely.

Handle Errors Gracefully

On 1015 — wait and back off. On 1020 — rotate IP and retry. On 1006 — cycle IPs and investigate behavior. Never retry the same request on the same IP with the same headers.

Frequently Asked Questions

What's the difference between Cloudflare error 1015 and 1020?

Error 1015 is rate limiting — you sent too many requests from your IP too fast. It's temporary and clears after a cooldown. Error 1020 is a firewall (WAF) rule block — your IP, country, ASN, or behavior matched a rule the site owner configured. 1020 requires changing something about your request; 1015 usually just requires waiting or slowing down.

How long does a Cloudflare 1015 rate limit last?

Typically 1-10 minutes from when you stop making requests. The exact duration is configured by the site owner and is returned in the Retry-After header. For persistent scrapers, rotating IPs through a proxy pool eliminates the problem entirely because each IP stays well below the per-IP threshold.

Can I bypass Cloudflare error 1020 with a VPN?

Sometimes — depends on the rule. If the site blocks by country, a VPN in a permitted country works. If the site blocks by ASN and your VPN uses a datacenter ASN, you'll still get 1020. Residential proxies work better than VPNs because they use real ISP IPs.

Why does Cloudflare error 1020 happen even from my home IP?

Several possibilities: the site blocks your country or region, another user on your shared IP (some ISPs use CGNAT) triggered a block, your browser is sending a flagged fingerprint, or you hit a URL pattern that triggered a WAF rule. Note the Ray ID and contact the site — that tells you exactly which rule fired.

Is Cloudflare error 1010 the same as getting detected as a bot?

Effectively yes. Error 1010 specifically means your browser signature (TLS, HTTP/2, or JS fingerprint) was flagged. It's the error you see when you try to scrape with default Python requests, plain Puppeteer, or unpatched Selenium. Fix it by matching a real browser's fingerprint — curl_cffi for HTTP, playwright-stealth for browsers.

Will buying proxies fix my Cloudflare errors?

For 1006, 1015, and most 1020 errors — yes, clean residential or mobile proxies resolve them immediately. For 1010 errors, you also need to fix your client's browser fingerprint. For 1003, the issue is client-side configuration (using a domain, not an IP), so proxies don't help. See our proxy plans for the right tier for your use case.

Related Guides

• How to Bypass Cloudflare Protection with Proxies (2026 Guide)
• How to Scrape Google Maps for Business Data (2026 Guide)
• How to Scrape LinkedIn Without Getting Banned (2026 Guide)