Cloudflare error codes: 520, 521, 522, 524, 1015, 1020 decoded

Cloudflare sits in front of roughly one in five public websites. When something goes wrong between the visitor and the origin server, Cloudflare's error pages are usually what you see — and Cloudflare uses its own numeric vocabulary that doesn't map cleanly to vanilla HTTP. Reading the number is the difference between "the site is broken" and "the origin is misconfigured and you can't fix it from your end."

The 5xx family — origin problems

These codes all mean Cloudflare reached the origin server but the conversation went wrong. The number narrows down how. Visitors can't fix any of them; only the site owner can.

520 — Web Server Returned an Unknown Error

The origin replied, but the reply was malformed in a way Cloudflare couldn't parse. Empty response, invalid HTTP headers, an early TCP RST after the handshake. Treat 520 as "the origin is sick in some way Cloudflare doesn't have a specific code for." Common causes: an upstream crash that returned no body, missing CORS headers when Cloudflare is sniffing for them, or an origin that closed the connection mid-response.

521 — Web Server Is Down

The TCP handshake to the origin failed entirely. Either the origin process is offline, the firewall is blocking Cloudflare's IPs, or the origin's autoscaling didn't keep up with demand. A 521 across multiple Cloudflare regions for the same site almost always means the origin is genuinely down.

522 — Connection Timed Out

Cloudflare started the TCP handshake to the origin and didn't get the SYN-ACK back inside the timeout window (default 100 seconds for free plans, configurable on paid plans). The origin is reachable on the network layer but isn't completing connections — usually thread pool exhaustion, database lock contention, or an overloaded reverse proxy in front of the app.

523 — Origin Is Unreachable

DNS or routing problems. Cloudflare can't even find a route to the origin's IP. Rare in normal operation; usually means the site owner changed origin IPs without updating Cloudflare, or a transit provider is having a bad day.

524 — A Timeout Occurred

The TCP handshake succeeded but the HTTP response didn't come back within the response timeout. The origin is alive enough to accept a connection but the application layer is hung — long-running query, infinite loop, deadlock. The most common 5xx code in practice, because slow database queries are everywhere.

525 — SSL Handshake Failed

Cloudflare and the origin disagree on TLS. Usually means the origin's certificate is expired, self-signed, or doesn't match the hostname Cloudflare is sending. Site owners hit this when they renew a cert and forget to update the origin.

526 — Invalid SSL Certificate

Same family as 525, but Cloudflare did get a certificate from the origin and it failed validation. Self-signed certs in "Full (strict)" mode is the classic cause.

The 1xxx family — Cloudflare blocked you

These pages mean Cloudflare made a deliberate decision about your specific request and stopped it from reaching the origin. The number tells you which rule fired.

1000 — DNS points to prohibited IP

The hostname you visited has a DNS record that resolves to a Cloudflare IP that doesn't belong to it (often a stale CNAME). A site-owner misconfiguration; visitors can't bypass it.

1001 — DNS resolution error

Cloudflare's resolver couldn't resolve the upstream hostname. Usually means the origin's DNS provider is failing — unrelated to Cloudflare itself.

1010 — Browser signature blocked

Your browser's TLS or HTTP signature was flagged as a bot. Common with headless Chrome, Selenium scripts, old browsers, or browsers with aggressive anti-fingerprinting extensions. Switch browsers or remove fingerprinting plugins.

1015 — You are being rate-limited

Too many requests in too short a window. The threshold is set by the site owner via Cloudflare's rate-limiting rules. Wait a minute and retry; if you're hitting it repeatedly, the limit might be IP-based and you're sharing the IP (corporate NAT, mobile carrier, VPN exit node).

1020 — Access denied

A custom firewall rule blocked your request. The most common rules: blocking specific countries, blocking specific user agents, blocking known VPN/Tor exit nodes, or blocking IPs that previously failed bot challenges. The page text usually mentions which rule fired, but the rule itself isn't shown.

1006/1007/1008 — Access denied (IP blocked)

A specific IP, ASN, or country block on your address. Different code numbers indicate which list matched: an individual IP, an ASN-wide block, or a country-level block. Functionally the same outcome.

How to triage a Cloudflare error in 30 seconds

When Cloudflare's own status is the answer

Cloudflare publishes a real status page at status.cloudflare.com. When the company has an actual outage, all of the codes above can be misleading — your real issue isn't the origin, it's that Cloudflare can't reliably reach origins from one or more of its edge POPs. On those days, status.cloudflare.com lights up and the 520/522 codes propagate to every site behind Cloudflare in the affected region.

For Cloudflare-specific status alongside our own probes, see the live Cloudflare status page. The decoder will also handle individual codes if you paste one in — try the Status Meaning Decoder with Cloudflare 1020 to get the same triage flow inline with the rest of your error message.

Frequently asked

Can a site owner customise these error pages?

Yes. Paid Cloudflare plans let owners override the default error templates. Some sites replace the Cloudflare branding with their own. The numeric code in the page source usually stays the same — search the page HTML for error code: if the visible page is hiding it.

Why do I sometimes get 1020 only on specific sites?

1020 is a custom firewall rule. Each site owner writes their own rules, so one site may block all VPN traffic while another blocks only a specific country. There's no single Cloudflare-wide blocklist that applies to all sites.

Are 520-526 errors a Cloudflare bug?

No — they're Cloudflare reporting back what it saw at the origin. The origin is the one misbehaving. Cloudflare's only contribution is the numeric vocabulary; the underlying failure is on the origin server side.