Troubleshooting Cloudflare 1XXX errors
The errors described in this document might occur when visiting a website proxied by Cloudflare. For Cloudflare API or dashboard errors, review our Cloudflare API documentation. HTTP 409, 530, 403, and 429 errors are the HTTP error codes returned in the HTTP status header for a response. 1XXX errors appear in the HTML body of the response.
If the resolutions within each error description below do not resolve the error, contact Cloudflare Support.
Cloudflare halted the request for one of the following reasons:
- An A record within your Cloudflare DNS app points to a Cloudflare IP address ↗, or a Load Balancer Origin points to a proxied record.
- Your Cloudflare DNS A or CNAME record references another reverse proxy (such as an nginx web server that uses the proxy_pass function) that then proxies the request to Cloudflare a second time.
- The request X-Forwarded-For header is longer than 100 characters.
- The request includes two X-Forwarded-For headers.
- The request includes a CF-Connecting-IP header.
- A Server Name Indication (SNI) issue or mismatch at the origin.
- If an A record within your Cloudflare DNS app points to a Cloudflare IP address ↗, update the IP address to your origin web server IP address. Reach out to your hosting provider if you need help obtaining the origin IP address.
- There is a reverse-proxy at your origin that sends the request back through the Cloudflare proxy. Instead of using a reverse-proxy, contact your hosting provider or site administrator to configure an HTTP redirect at your origin.
- A web request was sent to a Cloudflare IP address for a non-existent Cloudflare domain.
- An external domain that is not on using Cloudflare has a CNAME record to a domain active on Cloudflare
- The target of the DNS CNAME record does not resolve.
- A CNAME record in your Cloudflare DNS app requires resolution via a DNS provider that is currently offline.
- Always Online is enabled for a Custom Hostname (Cloudflare for SaaS) domain.
A non-Cloudflare domain cannot CNAME to a Cloudflare domain unless the non-Cloudflare domain is added to a Cloudflare account.
Attempting to directly access DNS records used for Cloudflare CNAME setups also causes error 1001 (For example: www.example.com.cdn.cloudflare.net ↗).
Disable Always Online if using Custom Hostname (Cloudflare for SaaS) domain.
- A DNS record in your Cloudflare DNS app points to one of Cloudflare’s IP addresses ↗.
- An incorrect target is specified for a CNAME record in your Cloudflare DNS app.
- Your domain is not on Cloudflare but has a CNAME that refers to a Cloudflare domain.
Update your Cloudflare A or CNAME record to point to your origin IP address instead of a Cloudflare IP address:
- Contact your hosting provider to confirm your origin IP address or CNAME record target.
- Log in to your Cloudflare account.
- Select the domain that generates error 1002.
- Select the DNS app.
- Click Value for the A record to update.
- Update the A record.
To ensure your origin web server doesn’t proxy its own requests through Cloudflare, configure your origin webserver to resolve your Cloudflare domain to:
- The internal NAT’d IP address, or
- The public IP address of the origin web server.
The Cloudflare domain resolves to a local or disallowed IP address or an IP address not associated with the domain.
If you own the website:
- Confirm your origin web server IP addresses with your hosting provider,
- Log in to your Cloudflare account, and
- Update the A records in the Cloudflare DNS app to the IP address confirmed by your hosting provider.
A client or browser directly accesses a Cloudflare IP address ↗.
Browse to the website domain name in your URL instead of the Cloudflare IP address.
- Cloudflare staff disabled proxying for the domain due to abuse or terms of service violations.
- DNS changes have not yet propagated or the site owner’s DNS A records point to Cloudflare IP addresses ↗.
If the issue persists beyond 5 minutes, contact Cloudflare Support.
The owner of the website (e.g. example.com) has banned the autonomous system number (ASN) from accessing the website.
If you are not the website owner, provide the website owner with a screenshot of the 1005 error message you received.
If you are the website owner:
- Retrieve a screenshot of the 1005 error from your customer
- Search the Security Events log (available at Security > Events) for the RayID, or client IP Address from the visitor’s 1005 error message.
3. Assess the cause of the block and ensure the ASN is allowed under the IP Access Rules security feature.
A Cloudflare customer blocked traffic from your client or browser.
Request the website owner to investigate their Cloudflare security settings or allow your client IP address. Since the website owner blocked your request, Cloudflare support cannot override a customer’s security settings.
The owner of the website (e.g. example.com) has banned the country or region your IP address from accessing the website.
Ensure your IP address is allowed under the IP Access Rules security feature.
A website owner blocked your request based on your client’s web browser.
Notify the website owner of the blocking. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database ↗. Site owners disable Browser Integrity Check via the Settings tab of the Security app.
A request is made for a resource that uses Cloudflare hotlink protection.
Notify the website owner of the blocking. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database ↗. Hotlink Protection is managed via the Cloudflare Scrape Shield app.
A website owner forbids access based on malicious activity detected from the visitor’s computer or network (ip_address). The most likely cause is a virus or malware infection on the visitor’s computer.
Update your antivirus software and run a full system scan. Cloudflare can not override the security settings the site owner has set for the domain. To request website access, contact the site owner to allow your IP address. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database ↗.
The hostname sent by the client or browser via Server Name Indication (SNI) does not match the request host header.
Error 1013 is commonly caused by the following:
- your local browser setting the incorrect SNI host header, or
- a network proxying SSL traffic caused a mismatch between SNI and the Host header of the request.
Test for an SNI mismatch via an online tool such as: SSL Shopper ↗.
Provide Cloudflare Support the following information:
- A HAR file captured while duplicating the error.
By default, Cloudflare prohibits a DNS CNAME record between domains in different Cloudflare accounts. CNAME records are permitted within a domain (www.example.com ↗ CNAME to api.example.com) and across zones within the same user account (www.example.com ↗ CNAME to www.example.net ↗) or using our Cloudflare for SaaS ↗ solution.
Another common cause is connecting a custom domain to an R2 bucket, where the domain is an active zone with the zone hold feature enabled.
- To allow CNAME record resolution to a domain in a different Cloudflare account, the domain owner of the CNAME target must use Cloudflare for SaaS.
- To allow connecting to a R2 bucket with a custom domain, disable the zone hold feature on the custom domain target zone to resolve the 1014 error.
The site owner implemented Rate Limiting that affects your visitor traffic.
- If you are a site visitor, contact the site owner to request exclusion of your IP from rate limiting.
- If you are the site owner, review Cloudflare Rate Limiting thresholds and adjust your Rate Limiting configuration.
- If your Rate Limiting blocks requests in a short time period (i.e. 1 second) try increasing the time period to 10 seconds.
Cloudflare cannot resolve the origin web server’s IP address.
Common causes for Error 1016 are:
- A missing DNS A record that mentions origin IP address.
- A CNAME record in the Cloudflare DNS points to an unresolvable external domain.
- The origin hostnames (CNAMEs) in your Cloudflare Load Balancer default, region, and fallback pools are unresolvable. Use a fallback pool configured with an origin IP as a backup in case all other pools are unavailable.
- When creating a Spectrum app with a CNAME origin, you need first to create a CNAME on the Cloudflare DNS side that points to the origin. Please see Spectrum CNAME origins for more details
- There is no DNS record for the hostname in the Cloudflare for SaaS target zone
- There is no DNS record for the hostname in the target Partial (CNAME) setup zone of a Workers subrequest (Fetch API)
To resolve error 1016:
- Verify your Cloudflare DNS settings include an A record that points to a valid IP address that resolves via a DNS lookup tool ↗.
- For a CNAME record pointing to a different domain, ensure that the target domain resolves via a DNS lookup tool ↗.
- For a Workers subrequest to a Partial (CNAME) setup zone, ensure that the hostname exists on the Cloudflare zone (and not only at the authoritative DNS)
- The Cloudflare domain was recently activated and there is a delay propagating the domain’s settings to the Cloudflare edge network.
- The Cloudflare domain was created via a Cloudflare partner (e.g., a hosting provider) and the provider’s DNS failed.
Contact Cloudflare Support with the following details:
- Your domain name
- A screenshot of the 1018 error including the RayID mentioned in the error message
- A HAR file captured while duplicating the error
A Cloudflare Worker script recursively references itself.
Ensure your Cloudflare Worker does not access a URL that calls the same Workers script.
A client or browser is blocked by a Cloudflare customer’s Firewall Rules (deprecated).
If you are not the website owner, provide the website owner with a screenshot of the 1020 error message you received.
If you are the website owner:
- Retrieve a screenshot of the 1020 error from your customer
- Search the Security Events log (available at Security > Events) for the RayID or client IP Address from the visitor’s 1020 error message.
3. Assess the cause of the block and either update the Firewall Rule or allow the visitor’s IP address in IP Access Rules.
- If the owner just signed up for Cloudflare it can take a few minutes for the website’s information to be distributed to our global network. Something is wrong with the site’s configuration.
- Usually, this happens when accounts have been signed up with a partner organization (e.g., hosting provider) and the provider’s DNS fails.
Contact Cloudflare Support with the following details:
- Your domain name
- A screenshot of the 1023 error including the RayID mentioned in the error message
- A HAR file captured while duplicating the error
A request is not serviced because the domain has reached plan limits for Cloudflare Workers.
Purchase the Unlimited Workers plan via the Plans page ↗ on the Workers dashboard.
You’ve requested a page on a website (tunnel.example.com) that is on the Cloudflare network. The host (tunnel.example.com) is configured as an Argo Tunnel, and Cloudflare is currently unable to resolve it.
- If you are a visitor of this website: Please try again in a few minutes.
- If you are the owner of this website: Ensure that cloudflared is running and can reach the network. You may wish to enable load balancing for your tunnel.
Customers who previously pointed their domains to 1.1.1.1 will now encounter 1034 error. This is due to a new edge validation check in Cloudflare’s systems to prevent misconfiguration and/or potential abuse.
Ensure DNS records are pointed to IP addresses you control, and in the case a placeholder IP address is needed for “originless” setups, use the IPv6 reserved address 100:: or the IPv4 reserved address 192.0.2.0.
The value or expression of your rewritten URI path is not valid.
This error also occurs when the destination of the URL rewrite is a path under /cdn-cgi/.
Make sure that the rewritten URI path is not empty and it starts with a / (slash) character.
For example, the following URI path rewrite expression is not valid:
concat(lower(ip.geoip.country), http.request.uri.path)
To fix the expression above, add a / prefix:
concat("/", lower(ip.geoip.country), http.request.uri.path)
The value or expression of your rewritten URI path or query string is too long.
Use a shorter value or expression for the new URI path/query string value.
The expression of the rewrite rule could not be evaluated. There are several causes for this error, but it can mean that one expression element contained an undefined value when it was evaluated.
For example, you get a 1037 error when using the following URL rewrite dynamic expression and the X-Source header is not included in the request:
http.request.headers["x-source"][0]
Make sure that all the elements of your rewrite expression are defined. For example, if you are referring to a header value, ensure the header is set.
You are trying to modify an HTTP header that HTTP Request Header Modification Rules cannot change.
Make sure you are not trying to modify one of the reserved HTTP request headers.
The added/modified header value is too long or it contains characters that are not allowed.
- Use a shorter value or expression to define the header value.
- Remove the characters that are not allowed. See Format of HTTP request header names and values in Developer Docs for more information on the allowed characters.
A Cloudflare Worker throws a runtime JavaScript exception.
Provide appropriate issues details to Cloudflare Support.
A Cloudflare Worker exceeds a CPU time limit. CPU time is the time spent executing code (for example, loops, parsing JSON, etc). Time spent on network requests (fetching, responding) does not count towards CPU time.
Contact the developer of your Workers code to optimize code for a reduction in CPU usage in the active Workers scripts.
Error 1104: A variation of this email address is already taken in our system. Only one variation is allowed.
This error can occur if an email has been added with some variation of the email you’re trying to add. For example, my+user@example.com and my.user@example.com will be treated the same in our system.
Log in as the old user and change email to a “throwaway” address, which will free up the new email.
There are too many requests queued on Cloudflare’s edge that are awaiting process by your origin web server. This limit protects Cloudflare’s systems.
Tune your origin webserver to accept incoming connections faster. Adjust your caching settings to improve cache-hit rates so that fewer requests reach your origin web server. Reach out to your hosting provider or web administrator for assistance.