Troubleshooting Cloudflare 1XXX errors
The errors described in this document might occur when visiting a website proxied by Cloudflare. For Cloudflare API or dashboard errors, review our Cloudflare API documentation. HTTP 409, 530, 403, 429 errors are the HTTP error codes returned in the HTTP status header for a response. 1XXX errors appear in the HTML body of the response.
If the resolutions within each error description below do not resolve the error, contact Cloudflare Support.
Error 1000: DNS points to prohibited IP
Cloudflare halted the request for one of the following reasons:
- An A record within your Cloudflare DNS app points to a Cloudflare IP address, or a Load Balancer Origin points to a proxied record.
- Your Cloudflare DNS A or CNAME record references another reverse proxy (such as an nginx web server that uses the proxy_pass function) that then proxies the request to Cloudflare a second time.
- The request X-Forwarded-For header is longer than 100 characters.
- The request includes two X-Forwarded-For headers.
- A Server Name Indication (SNI) issue or mismatch at the origin.
- If an A record within your Cloudflare DNS app points to a Cloudflare IP address, update the IP address to your origin web server IP address.
- There is a reverse-proxy at your origin that sends the request back through the Cloudflare proxy. Instead of using a reverse-proxy, contact your hosting provider or site administrator to configure an HTTP redirect at your origin.
Error 1001: DNS resolution error
- A web request was sent to a Cloudflare IP address for a non-existent Cloudflare domain.
- An external domain that is not on using Cloudflare has a CNAME record to a domain active on Cloudflare
- The target of the DNS CNAME record does not resolve.
- A CNAME record in your Cloudflare DNS app requires resolution via a DNS provider that is currently offline.
- Always Online is enabled for a Custom Hostname (SSL for SaaS) domain.
A non-Cloudflare domain cannot CNAME to a Cloudflare domain unless the non-Cloudflare domain is added to a Cloudflare account.
Attempting to directly access DNS records used for Cloudflare CNAME setups also causes error 1001 (For example: www.example.com.cdn.cloudflare.net).
Disable Always Online if using Custom Hostnames (SSL for SaaS).
Error 1002: DNS points to Prohibited IP
- A DNS record in your Cloudflare DNS app points to one of Cloudflare’s IP addresses.
- An incorrect target is specified for a CNAME record in your Cloudflare DNS app.
- Your domain is not on Cloudflare but has a CNAME that refers to a Cloudflare domain.
Update your Cloudflare A or CNAME record to point to your origin IP address instead of a Cloudflare IP address:
- Contact your hosting provider to confirm your origin IP address or CNAME record target.
- Log in to your Cloudflare account.
- Select the domain that generates error 1002.
- Select the DNS app.
- Click Value for the A record to update.
- Update the A record.
To ensure your origin web server doesn’t proxy its own requests through Cloudflare, configure your origin webserver to resolve your Cloudflare domain to:
- The internal NAT’d IP address, or
- The public IP address of the origin web server.
Error 1002: Restricted
The Cloudflare domain resolves to a local or disallowed IP address or an IP address not associated with the domain.
If you own the website:
- Confirm your origin web server IP addresses with your hosting provider,
- Log in to your Cloudflare account, and
- Update the A records in the Cloudflare DNS app to the IP address confirmed by your hosting provider.
Error 1003 Access Denied: Direct IP Access Not Allowed
A client or browser directly accesses a Cloudflare IP address.
Browse to the website domain name in your URL instead of the Cloudflare IP address.
Error 1004: Host Not Configured to Serve Web Traffic
- Cloudflare staff disabled proxying for the domain due to abuse or terms of service violations.
- DNS changes have not yet propagated or the site owner’s DNS A records point to Cloudflare IP addresses.
If the issue persists beyond 5 minutes, contact Cloudflare Support.
Errors 1005 Access Denied: Autonomous System Number (ASN) banned
The owner of the website (e.g. example.com) has banned the autonomous system number (ASN) from accessing the website.
If you are not the website owner, provide the website owner with a screenshot of the 1005 error message you received.
If you are the website owner:
- Retrieve a screenshot of the 1005 error from your customer
- Search the Security Events log (available at Security > Events) for the RayID, or client IP Address from the visitor’s 1005 error message.
3. Assess the cause of the block and ensure the ASN is allowed under the IP Access Rules security feature.
Errors 1006, 1007, 1008 or 1106 Access Denied: Your IP address has been banned
A Cloudflare customer blocked traffic from your client or browser.
Request the website owner to investigate their Cloudflare security settings or allow your client IP address. Since the website owner blocked your request, Cloudflare support cannot override a customer’s security settings.
Errors 1009 Access Denied: Country or region banned
The owner of the website (e.g. example.com) has banned the country or region your IP address from accessing the website.
Ensure your IP address is allowed under the IP Access Rules security feature.
Error 1010: The owner of this website has banned your access based on your browser’s signature
A website owner blocked your request based on your client’s web browser.
Notify the website owner of the blocking. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database. Site owners disable Browser Integrity Check via the Settings tab of the Security app.
Error 1011: Access Denied (Hotlinking Denied)
A request is made for a resource that uses Cloudflare hotlink protection.
Notify the website owner of the blocking. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database. Hotlink Protection is managed via the Cloudflare Scrape Shield app.
Error 1012: Access Denied
A website owner forbids access based on malicious activity detected from the visitor’s computer or network (ip_address). The most likely cause is a virus or malware infection on the visitor’s computer.
Update your antivirus software and run a full system scan. Cloudflare can not override the security settings the site owner has set for the domain. To request website access, contact the site owner to allow your IP address. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database.
Error 1013: HTTP hostname and TLS SNI hostname mismatch
The hostname sent by the client or browser via Server Name Indication (SNI) does not match the request host header.
Error 1013 is commonly caused by the following:
- your local browser setting the incorrect SNI host header, or
- a network proxying SSL traffic caused a mismatch between SNI and the Host header of the request.
Test for an SNI mismatch via an online tool such as: SSL Shopper.
Provide Cloudflare Support the following information:
- A HAR file captured while duplicating the error.
Error 1014: CNAME Cross-User Banned
By default, Cloudflare prohibits a DNS CNAME record between domains in different Cloudflare accounts. CNAME records are permitted within a domain ( www.example.com CNAME to api.example.com) and across zones within the same user account ( www.example.com CNAME to www.example.net) or using our Cloudflare for SaaS solution.
To allow CNAME record resolution to a domain in a different Cloudflare account, the domain owner of the CNAME target must use Cloudflare for SaaS; more specially our SSL for SaaS solution.
Error 1015: You are being rate limited
The site owner implemented Rate Limiting that affects your visitor traffic.
- If you are a site visitor, contact the site owner to request exclusion of your IP from rate limiting.
- If you are the site owner, review Cloudflare Rate Limiting thresholds and adjust your Rate Limiting configuration.
- If your Rate Limiting blocks requests in a short time period (i.e. 1 second) try increasing the time period to 10 seconds.
Error 1016: Origin DNS error
Cloudflare cannot resolve the origin web server’s IP address.
Common causes for Error 1016 are:
- A missing DNS A record that mentions origin IP address.
- A CNAME record in the Cloudflare DNS points to an unresolvable external domain.
- The origin host names (CNAMEs) in your Cloudflare Load Balancer default, region, and fallback pools are unresolvable. Use a fallback pool configured with an origin IP as a backup in case all other pools are unavailable.
- When creating a Spectrum app with a CNAME origin, you need first to create a CNAME on the Cloudflare DNS side that points to the origin. Please see Spectrum CNAME origins for more details
To resolve error 1016:
- Verify your Cloudflare DNS settings include an A record that points to a valid IP address that resolves via a DNS lookup tool.
- For a CNAME record pointing to a different domain, ensure that the target domain resolves via a DNS lookup tool.
Error 1018: Could not find host
- The Cloudflare domain was recently activated and there is a delay propagating the domain’s settings to the Cloudflare edge network.
- The Cloudflare domain was created via a Cloudflare partner (e.g., a hosting provider) and the provider’s DNS failed.
Contact Cloudflare Support with the following details:
- Your domain name
- A screenshot of the 1018 error including the RayID mentioned in the error message
- The time and timezone the 1018 error occurred
Error 1019: Compute server error
A Cloudflare Worker script recursively references itself.
Ensure your Cloudflare Worker does not access a URL that calls the same Workers script.
Error 1020: Access denied
A client or browser is blocked by a Cloudflare customer’s Firewall Rules.
If you are not the website owner, provide the website owner with a screenshot of the 1020 error message you received.
If you are the website owner:
- Retrieve a screenshot of the 1020 error from your customer
- Search the Security Events log (available at Security > Events) for the RayID or client IP Address from the visitor’s 1020 error message.
3. Assess the cause of the block and either update the Firewall Rule or allow the visitor’s IP address in IP Access Rules.
Error 1023: Could not find host
- If the owner just signed up for Cloudflare it can take a few minutes for the website’s information to be distributed to our global network. Something is wrong with the site’s configuration.
- Usually, this happens when accounts have been signed up with a partner organization (e.g., hosting provider) and the provider’s DNS fails.
Contact Cloudflare Support with the following details:
- Your domain name
- A screenshot of the 1023 error including the RayID mentioned in the error message
- The time and timezone the 1023 error occurred
Error 1025: Please check back later
A request is not serviced because the domain has reached plan limits for Cloudflare Workers.
Purchase the Unlimited Workers plan via the Plans page on the Workers dashboard.
Error 1033: Argo Tunnel error
You’ve requested a page on a website (
tunnel.example.com) that is on the Cloudflare network. The host (
tunnel.example.com) is configured as an Argo Tunnel, and Cloudflare is currently unable to resolve it.
- If you are a visitor of this website: Please try again in a few minutes.
- If you are the owner of this website: Ensure that cloudflared is running and can reach the network. You may wish to enable load balancing for your tunnel.
Error 1034: Edge IP Restricted
Customers who previously pointed their domains to
220.127.116.11 will now encounter 1034 error. This is due to a new edge validation check in Cloudflare’s systems to prevent misconfiguration and/or potential abuse.
Ensure DNS records are pointed to IP addresses you control, and in the case a placeholder IP address is needed for “originless” setups, use the IPv6 reserved address
100:: or the IPv4 reserved address
Error 1035: Invalid request rewrite (invalid URI path)
The value or expression of your rewritten URI path is not valid.
This error also occurs when the destination of the URL rewrite is a path under
Make sure that the rewritten URI path is not empty and it starts with a
/ (slash) character.
For example, the following URI path rewrite expression is not valid:
To fix the expression above, add a
concat("/", lower(ip.geoip.country), http.request.uri.path)
Error 1036: Invalid request rewrite (maximum length exceeded)
The value or expression of your rewritten URI path or query string is too long.
Use a shorter value or expression for the new URI path/query string value.
Error 1037: Invalid rewrite rule (failed to evaluate expression)
The expression of the rewrite rule could not be evaluated. There are several causes for this error, but it can mean that one expression element contained an undefined value when it was evaluated.
For example, you get a 1037 error when using the following URL rewrite dynamic expression and the
X-Source header is not included in the request:
Make sure that all the elements of your rewrite expression are defined. For example, if you are referring to a header value, ensure the header is set.
Error 1040: Invalid request rewrite (header modification not allowed)
You are trying to modify an HTTP header that HTTP Request Header Modification Rules cannot change.
Make sure you are not trying to modify one of the reserved HTTP request headers.
Error 1041: Invalid request rewrite (invalid header value)
The added/modified header value is too long or it contains characters that are not allowed.
- Use a shorter value or expression to define the header value.
- Remove the characters that are not allowed. See Format of HTTP request header names and values in Developer Docs for more information on the allowed characters.
Error 1101: Rendering error
Provide appropriate issues details to Cloudflare Support.
Error 1102: Rendering error
A Cloudflare Worker exceeds a CPU time limit. CPU time is the time spent executing code (for example, loops, parsing JSON, etc). Time spent on network requests (fetching, responding) does not count towards CPU time.
Contact the developer of your Workers code to optimize code for a reduction in CPU usage in the active Workers scripts.
Error 1104: A variation of this email address is already taken in our system. Only one variation is allowed.
This error can occur if an email has been added with some variation of the email you’re trying to add. For example, [email protected] and [email protected] will be treated the same in our system.
Log in as the old user and change email to a “throwaway” address, which will free up the new email.
Error 1200: Cache connection limit
There are too many requests queued on Cloudflare’s edge that are awaiting process by your origin web server. This limit protects Cloudflare’s systems.
Tune your origin webserver to accept incoming connections faster. Adjust your caching settings to improve cache-hit rates so that fewer requests reach your origin web server. Reach out to your hosting provider or web administrator for assistance.