Troubleshooting Cloudflare 1XXX errors
The errors covered in this document may occur when accessing a website proxied by Cloudflare. For issues related to the Cloudflare API or dashboard, refer to our Cloudflare API documentation.
HTTP errors such as 409, 530, 403, and 429 are returned in the HTTP status header of a response, while 1XXX errors appear in the HTML body of the response.
If the suggested resolutions for each error do not resolve the issue, contact Cloudflare Support.
- Only the website owner can contact Cloudflare for technical support. You can find a domain's contact details via the Whoisdatabase ↗.
- Pro, Business and Enterprise plan users have access to email support.
- Business and Enterprise users can also access chat support.
- For additional support options, refer to the Cloudflare plans ↗.
This error indicates that a Cloudflare DNS record points to a prohibited IP, blocking access to the requested domain.
Cloudflare halted the request for one of the following reasons:
- An A record within your Cloudflare DNS app points to a Cloudflare IP address ↗, or a Load Balancer Origin points to a proxied record.
- Your Cloudflare DNS A or CNAME record references another reverse proxy (such as an nginx web server that uses the proxy_pass function) that then proxies the request to Cloudflare a second time.
- The request
X-Forwarded-Forheader is longer than 100 characters. - The request includes two
X-Forwarded-Forheaders. - The request includes a
CF-Connecting-IPheader. - A Server Name Indication (SNI) issue or mismatch at the origin.
- If an A record within your Cloudflare DNS app points to a Cloudflare IP address ↗, update the IP address to your origin web server IP address. Reach out to your hosting provider if you need help obtaining the origin IP address.
- There is a reverse-proxy at your origin that sends the request back through the Cloudflare proxy. Instead of using a reverse-proxy, contact your hosting provider or site administrator to configure an HTTP redirect at your origin.
This error indicates a DNS resolution failure preventing access to the requested domain.
- A web request was sent to a Cloudflare IP address for a non-existent Cloudflare domain.
- An external domain that is not on using Cloudflare has a CNAME record to a domain active on Cloudflare
- The target of the DNS CNAME record does not resolve.
- A CNAME record in your Cloudflare DNS app requires resolution via a DNS provider that is currently offline.
- Always Online is enabled for a Custom Hostname (Cloudflare for SaaS) domain.
A non-Cloudflare domain cannot CNAME to a Cloudflare domain, unless the non-Cloudflare domain is added to a Cloudflare account.
Attempting to directly access DNS records used for Cloudflare CNAME setups also causes error 1001. For example, www.example.com.cdn.cloudflare.net.
Disable Always Online, if using Custom Hostname (Cloudflare for SaaS) domain.
This error indicates that a Cloudflare DNS record points to a prohibited IP, preventing proper domain resolution.
- A DNS record in your Cloudflare DNS app points to one of Cloudflare's IP addresses ↗.
- An incorrect target is specified for a CNAME record in your Cloudflare DNS app.
- Your domain is not on Cloudflare but has a CNAME that refers to a Cloudflare domain.
Update your Cloudflare A or CNAME record to point to your origin IP address instead of a Cloudflare IP address:
- Contact your hosting provider to confirm your origin IP address or CNAME record target.
- Log in to your Cloudflare account.
- Select the domain that generates error 1002.
- Select the DNS app.
- Click Value for the A record to update.
- Update the A record.
To ensure your origin web server does not proxy its own requests through Cloudflare, configure your origin webserver to resolve your Cloudflare domain to:
- The internal NAT'd IP address, or
- The public IP address of the origin web server.
This error indicates that the domain resolves to a restricted or disallowed IP address.
The Cloudflare domain resolves to a local or disallowed IP address or an IP address not associated with the domain.
If you own the website:
- Confirm your origin web server IP addresses with your hosting provider,
- Log in to your Cloudflare account, and
- Update the A records in the Cloudflare DNS app to the IP address confirmed by your hosting provider.
This error indicates that direct access to a Cloudflare IP address is not allowed.
A client or browser directly accesses a Cloudflare IP address ↗.
Browse to the website domain name in your URL instead of the Cloudflare IP address.
This error indicates that the host is not configured to serve web traffic.
- Cloudflare staff disabled proxying for the domain due to abuse or terms of service violations.
- DNS changes have not yet propagated or the site owner's DNS A records point to Cloudflare IP addresses ↗.
If the issue persists beyond five minutes, contact Cloudflare Support.
This error indicates that access to the website is denied due to the banning of the Autonomous System Number (ASN).
The owner of the website (for example, example.com) has banned the autonomous system number (ASN) from accessing the website.
If you are not the website owner, provide the website owner with a screenshot of the 1005 error message you received.
If you are the website owner:
- Retrieve a screenshot of the
1005error from your customer - Search the Security Events log (available at Security > Events) for the RayID, or client IP Address from the visitor's 1005 error message.
- Assess the cause of the block and ensure the ASN is allowed under the IP Access Rules security feature.
This error indicates that access is denied because your IP address has been banned.
A Cloudflare customer blocked traffic from your client or browser.
Request the website owner to investigate their Cloudflare security settings or allow your client IP address. Since the website owner blocked your request, Cloudflare support cannot override a customer's security settings.
This error indicates that access to the website is denied from your country or region.
The owner of the website (for example, example.com) has banned the country or region your IP address from accessing the website.
Ensure your IP address is allowed under the IP Access Rules security feature.
This error indicates that access to the website is denied based on your browser's signature.
A website owner blocked your request based on your client's web browser.
Notify the website owner of the blocking. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database ↗. Site owners disable Browser Integrity Check via the Settings tab of the Security app.
This error indicates that access to the resource is denied due to hotlinking protection.
A request is made for a resource that uses Cloudflare hotlink protection.
Notify the website owner of the blocking. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database ↗. Hotlink Protection is managed via the Cloudflare Scrape Shield app.
This error indicates that access to the website is denied.
A website owner forbids access based on malicious activity detected from the visitor's computer or network (ip_address). The most likely cause is a virus or malware infection on the visitor's computer.
Update your antivirus software and run a full system scan. Cloudflare can not override the security settings the site owner has set for the domain. To request website access, contact the site owner to allow your IP address. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database ↗.
This error indicates a mismatch between the HTTP hostname and the TLS SNI hostname.
The hostname sent by the client or browser via Server Name Indication (SNI) does not match the request host header.
Error 1013 is commonly caused by the following:
- Your local browser setting the incorrect SNI host header, or
- A network proxying SSL traffic caused a mismatch between SNI and the Host header of the request.
Test for an SNI mismatch via an online tool, such as SSL Shopper ↗.
Provide Cloudflare Support the following information:
- A HAR file captured while duplicating the error.
This error indicates that a CNAME record between domains in different Cloudflare accounts is prohibited.
By default, Cloudflare prohibits a DNS CNAME record between domains in different Cloudflare accounts. CNAME records are permitted within a domain (www.example.com ↗ CNAME to api.example.com) and across zones within the same user account (www.example.com ↗ CNAME to www.example.net ↗) or using our Cloudflare for SaaS ↗ solution.
Another common cause is connecting a custom domain to an R2 bucket, where the domain is an active zone with the zone hold feature enabled.
- To allow CNAME record resolution to a domain in a different Cloudflare account, the domain owner of the CNAME target must use Cloudflare for SaaS.
- To allow connecting to a R2 bucket with a custom domain, disable the zone hold feature on the custom domain target zone to resolve the 1014 error.
This error indicates that you are being rate limited by the website.
The site owner implemented Rate Limiting that affects your visitor traffic.
- If you are a site visitor, contact the site owner to request exclusion of your IP from rate limiting.
- If you are the site owner, review Cloudflare Rate Limiting thresholds and adjust your Rate Limiting configuration.
- If your Rate Limiting blocks requests in a short time period (i.e. 1 second) try increasing the time period to 10 seconds.
This error indicates that Cloudflare cannot resolve the origin web server's IP address.
Common causes for Error 1016 are:
- A missing DNS A record that mentions origin IP address.
- A CNAME record in the Cloudflare DNS points to an unresolvable external domain.
- The origin hostnames (CNAMEs) in your Cloudflare Load Balancer default, region, and fallback pools are unresolvable. Use a fallback pool configured with an origin IP as a backup in case all other pools are unavailable.
- When creating a Spectrum app with a CNAME origin, you need first to create a CNAME on the Cloudflare DNS side that points to the origin. Please see Spectrum CNAME origins for more details.
- There is no DNS record for the hostname in the Cloudflare for SaaS target zone.
- There is no DNS record for the hostname in the target Partial (CNAME) setup zone of a Workers subrequest (Fetch API).
To resolve error 1016:
- Verify your Cloudflare DNS settings include an A record that points to a valid IP address that resolves via a DNS lookup tool ↗.
- For a CNAME record pointing to a different domain, ensure that the target domain resolves via a DNS lookup tool ↗.
- For a Workers subrequest to a Partial (CNAME) setup zone, ensure that the hostname exists on the Cloudflare zone (and not only at the authoritative DNS)
This error indicates that the host could not be found.
- The Cloudflare domain was recently activated and there is a delay propagating the domain's settings to the Cloudflare edge network.
- The Cloudflare domain was created via a Cloudflare partner (for example, a hosting provider) and the provider's DNS failed.
Contact Cloudflare Support with the following details:
- Your domain name.
- A screenshot of the 1018 error including the RayID mentioned in the error message.
- A HAR file captured while duplicating the error.
This error indicates a compute server error related to a Cloudflare Worker.
A Cloudflare Worker script recursively references itself.
Ensure your Cloudflare Worker does not access a URL that calls the same Workers script.
This error indicates that access to the website is denied by a Cloudflare firewall rule.
A client or browser is blocked by a Cloudflare customer's Firewall Rules (deprecated).
If you are not the website owner, provide the website owner with a screenshot of the 1020 error message you received.
If you are the website owner:
- Retrieve a screenshot of the 1020 error from your customer.
- Search the Security Events log (available at Security > Events) for the RayID or client IP Address from the visitor's 1020 error message.
- Assess the cause of the block and either update the Firewall Rule or allow the visitor's IP address in IP Access Rules.
This error indicates that the host could not be found due to a configuration issue or propagation delay.
- If the owner just signed up for Cloudflare it can take a few minutes for the website's information to be distributed to our global network. Something is wrong with the site's configuration.
- Usually, this happens when accounts have been signed up with a partner organization (for example, hosting provider) and the provider's DNS fails.
Contact Cloudflare Support with the following details:
- Your domain name.
- A screenshot of the 1023 error including the RayID mentioned in the error message.
- A HAR file captured while duplicating the error.
This error indicates that the domain has reached its plan limits for Cloudflare Workers.
A request is not serviced because the domain has reached plan limits for Cloudflare Workers.
Purchase the Unlimited Workers plan via the Plans page ↗ on the Workers dashboard.
This error indicates an issue with resolving an Argo Tunnel.
You have requested a page on a website (tunnel.example.com) that is on the Cloudflare network. The host (tunnel.example.com) is configured as an Argo Tunnel, and Cloudflare is currently unable to resolve it.
- If you are a visitor of this website: Please try again in a few minutes.
- If you are the owner of this website: Ensure that cloudflared is running and can reach the network. You may wish to enable load balancing for your tunnel.
This error indicates that the IP address used for the domain is restricted by Cloudflare's edge validation.
Customers who previously pointed their domains to 1.1.1.1 will now encounter 1034 error. This is due to a new edge validation check in Cloudflare's systems to prevent misconfiguration and/or potential abuse.
Ensure DNS records are pointed to IP addresses you control, and in the case a placeholder IP address is needed for “originless” setups, use the IPv6 reserved address 100:: or the IPv4 reserved address 192.0.2.0.
This error indicates an invalid URI path in a request rewrite.
The value or expression of your rewritten URI path is not valid.
This error also occurs when the destination of the URL rewrite is a path under /cdn-cgi/.
Make sure that the rewritten URI path is not empty and it starts with a / (slash) character.
For example, the following URI path rewrite expression is not valid:
concat(lower(ip.src.country), http.request.uri.path)
To fix the expression above, add a / prefix:
concat("/", lower(ip.src.country), http.request.uri.path)
This error indicates that the rewritten URI path or query string exceeds the maximum allowed length.
The value or expression of your rewritten URI path or query string is too long.
Use a shorter value or expression for the new URI path/query string value.
This error indicates that the rewrite rule expression could not be evaluated.
There are several causes for this error, but it can mean that one expression element contained an undefined value when it was evaluated.
For example, you get a 1037 error when using the following URL rewrite dynamic expression and the X-Source header is not included in the request:
http.request.headers["x-source"][0]
Make sure that all the elements of your rewrite expression are defined. For example, if you are referring to a header value, ensure the header is set.
This error indicates that an attempt was made to modify a restricted HTTP header.
You are trying to modify an HTTP header that HTTP Request Header Modification Rules cannot change.
Make sure you are not trying to modify one of the reserved HTTP request headers.
This error indicates that the header value is not valid.
The added/modified header value is too long or it contains characters that are not allowed.
- Use a shorter value or expression to define the header value.
- Remove the characters that are not allowed. See Format of HTTP request header names and values in Developer Docs for more information on the allowed characters.
This error indicates a rendering issue.
This error typically occurs when a Cloudflare Worker encounters a runtime JavaScript exception.
Provide appropriate issues details to Cloudflare Support.
This error indicates that a Cloudflare Worker has exceeded the CPU time limit.
A Cloudflare Worker exceeds a CPU time limit. CPU time is the time spent executing code (for example, loops, parsing JSON, etc). Time spent on network requests (fetching, responding) does not count towards CPU time.
Contact the developer of your Workers code to optimize code for a reduction in CPU usage in the active Workers scripts.
Error 1104: A variation of this email address is already taken in our system. Only one variation is allowed.
This error indicates that the email address you are trying to add is already taken in the system.
This error can occur if an email has been added with some variation of the email you're trying to add. For example, my+user@example.com and my.user@example.com will be treated the same in our system.
Log in as the old user and change email to a "throwaway" address, which will free up the new email.
This error indicates that the number of requests queued on Cloudflare's edge exceeds the limit.
There are too many requests queued on Cloudflare's edge that are awaiting process by your origin web server. This limit protects Cloudflare's systems.
Tune your origin webserver to accept incoming connections faster. Adjust your caching settings to improve cache-hit rates so that fewer requests reach your origin web server. Reach out to your hosting provider or web administrator for assistance.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark