Error 520

Error 520: web server returns an unknown error

This error occurs when the origin server returns an empty, unknown, or unexpected response to Cloudflare.

Common causes

This error is often triggered by:

• Origin server crashes or misconfigurations.
• Firewalls or security plugins blocking Cloudflare IPs ↗ at your origin.
• Headers exceeding 128 KB (often due to excessive cookies).
• Empty or malformed responses lacking an HTTP status code or response body.
• Missing response headers or origin web server not returning proper HTTP error responses ↗.
• Incorrect HTTP/2 configuration at the origin server.
• Authentication Origin Pull enabled on Cloudflare but the origin is not configured as expected.

Note

520 errors are prevalent with certain PHP applications that crash the origin web server.

Resolution

Note

As a temporary workaround, you can set the affected DNS record to DNS-only in the Cloudflare DNS app or temporarily pause Cloudflare.

• Contact your hosting provider or site administrator and share the necessary error details to assist with troubleshooting. Request a review of your origin web server error logs for crashes and check for common causes mentioned in the previous section.

• If HTTP/2 is enabled at your origin server, ensure it is correctly set up. Cloudflare connects to servers who announce support of HTTP/2 connections via ALPN ↗. If the origin web server accepts the HTTP/2 connection but then does not respect or support the protocol, an HTTP 520 error will be returned. You can disable the HTTP/2 to Origin in Speed > Settings > Protocol Optimization on the Cloudflare dashboard.

• If 520 errors continue after contacting your hosting provider or site administrator, provide the following information to Cloudflare Support:

  • Full URL(s) of the resource requested when the error occurred.
  • Cloudflare cf-ray from the 520 error message.
  • Output from http://<YOUR_DOMAIN>/cdn-cgi/trace.
  • Two HAR files:
    • One with Cloudflare enabled on your website.
    • Another with Cloudflare temporarily disabled.

Diagnosing origin connectivity using OriginResponseStatus in logs

When reviewing Cloudflare Logs (via Logpush http_requests dataset), the OriginResponseStatus field shows the HTTP status code returned by your origin.

An OriginResponseStatus value of 0 has two distinct meanings depending on context:

• No origin contact (cache hit or revalidated response): The request was served from cache and Cloudflare did not contact the origin. Filter these out when calculating origin error rates — they do not indicate an origin problem.
• Failed origin connection: Cloudflare attempted to contact the origin but received no HTTP response. The origin either dropped the TCP connection before sending response headers, timed out before sending headers, or sent a malformed response that Cloudflare could not parse. Cloudflare generates the error page itself (typically a 520 or 500).

To distinguish between the two, check the CacheStatus field in the same log record:

• CacheStatus is hit or revalidated → no origin contact; OriginResponseStatus = 0 is expected
• CacheStatus is miss or expired → Cloudflare contacted the origin; OriginResponseStatus = 0 indicates a failed connection

Warning

Do not conclude your origin returned a 5xx error solely because OriginResponseStatus = 0. Always check CacheStatus first to determine whether Cloudflare contacted the origin at all.