What Is a 520 Status Code (Cloudflare)?

Paste into ChatGPT, Claude, or any LLM

On this page

HTTP 520 is a non-standard Cloudflare status code meaning the origin server returned a response Cloudflare cannot interpret. The origin may have closed the connection mid-response, returned malformed headers, sent an empty body where Cloudflare expected content, or crashed entirely. From a scraper's point of view it is a 5xx — server side, not a block — but the underlying cause varies enough that diagnosing it takes care.

Status family	5xx — server error (Cloudflare-specific)
Meaning	Origin returned empty, unknown, or invalid response to Cloudflare
Common causes	Origin crash, malformed headers, premature close, origin firewall blocking Cloudflare
Retry safe?	Yes — with exponential backoff; transient in most cases
Distinguishes from	521 (origin down), 522 (origin timeout), 523 (origin unreachable)

What 520 actually indicates

520 is Cloudflare's catch-all when it cannot map an origin failure to a more specific 5xx. The origin replied, but the reply violated HTTP in some way: oversized headers, a connection reset before the response body finished, malformed status line, empty body where a length was promised. It is not a block aimed at your scraper — Cloudflare returns 520 to all clients when the origin misbehaves.

How to handle 520 in a scraper

Retry with exponential backoff (1s, 2s, 4s, 8s, max 5 attempts). Most 520s clear within a minute as the origin recovers. If a specific URL returns 520 consistently for an hour, the origin is likely broken — log it, alert, and move on rather than wasting crawl budget. Do not rotate proxies on a 520; the issue is server-side, so a new IP changes nothing.

When 520 hides a block

Rare but real: a few sites configure their origin firewall to drop scraper traffic at the TCP level, which surfaces to Cloudflare as a 520 instead of a proper 403. The tell is that 520s correlate with your traffic specifically — a real browser request from the same IP succeeds. In that case treat it as a soft block: improve TLS fingerprint and headers, then retry.

Code example

python

import requests, time

def fetch_with_520_retry(url, max_attempts=5):
    for attempt in range(max_attempts):
        r = requests.get(url)
        if r.status_code != 520:
            return r
        time.sleep(2 ** attempt)  # 1s, 2s, 4s, 8s, 16s
    raise RuntimeError(f'520 persisted after {max_attempts} attempts')

HTTP 503 Service Unavailable means the server is temporarily unable to handle the request — usually because it's overloaded, undergoing main…

What Is the 429 Status Code (429 Error)?

HTTP 429 Too Many Requests is the status code a server returns when a client has sent more requests in a given window than the server's rate…

What Is Cloudflare Error 1015?

Cloudflare error 1015 "You are being rate limited" is shown when a visitor has exceeded a rate-limiting rule configured by the site owner in…

What Is Cloudflare Bot Management?

Cloudflare Bot Management is the enterprise-tier ML scoring system Cloudflare runs on every request to a protected zone. Unlike Turnstile — …

What Is a 402 Error?

HTTP 402 Payment Required indicates the server is refusing the request until payment, billing, or quota issues are resolved. It was reserved…

Concept map

How 520 Error connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · HTTP Errors

Tools & solutions for this topic

Frequently asked questions

Is 520 the same as 502 Bad Gateway?

Conceptually similar but Cloudflare-specific. 502 is the standard "upstream returned invalid response." 520 is what Cloudflare uses when the failure does not fit any of the more specific Cloudflare 5xx codes (521, 522, 523, 524, 525, 526).

How long should I retry a 520?

Five attempts with exponential backoff covers ~30 seconds of total wait. Beyond that, the origin is sustainably broken and continuing to retry burns budget without helping.

Does 520 mean my scraper triggered something?

Almost never. 520 is origin-side and affects all clients equally. If only your scraper sees 520s while browser traffic succeeds, you are looking at a TCP-level block dressed up as 520 — improve fingerprint, not retry logic.

Last updated: 2026-05-26