HTTP Errors

What Is Cloudflare Error 1020? (Access Denied)

On this page

Cloudflare Error 1020 "Access Denied" means a Cloudflare firewall (WAF) rule on the site has blocked your request outright. Unlike Error 1015, which is a temporary rate limit, 1020 is a deliberate rule match: the site owner (or a Cloudflare Managed Ruleset) decided that traffic with your characteristics shouldn't be served at all. It is Cloudflare's own error page, returned with an HTTP 403, not a status code from the origin server.

Quick facts

Error1020 (Cloudflare)
HTTP status403 Forbidden
MeaningA WAF / firewall rule blocked the request
Common causesBad IP reputation, datacenter IPs, bot-like headers/TLS, country or ASN rules
Not the same as1015 (rate limit) — 1020 is a rule match, not "too fast"

What triggers Cloudflare 1020

Error 1020 fires when a request matches a firewall rule — a WAF Custom Rule, a Managed Ruleset, or a "block" action in Bot Management. The usual triggers:

  • Poor IP reputation. Datacenter, VPN, and recycled proxy IPs carry low trust scores; many sites block them on the first request.
  • Bot-like fingerprint. Missing browser headers, a python-requests or curl User-Agent, or a TLS/JA3 handshake that doesn't match the claimed browser.
  • Geo / ASN rules. The site blocks whole countries, hosting providers (AWS, GCP, OVH ranges), or specific ASNs.
  • Tripped a custom rule — hitting a path, header, or query pattern the owner explicitly blacklisted.

Because it's a rule match, waiting does not clear a 1020 the way it clears a 1015. You have to stop matching the rule.

How to fix Cloudflare 1020 when scraping

The block is on who you look like, so fix the signals in this order:

  1. Use clean residential or mobile IPs. Datacenter IPs are the number-one 1020 trigger. Rotating residential proxies with good reputation usually clear it.
  2. Send a complete, consistent browser profile — full headers and a matching TLS fingerprint. Spoofing the User-Agent alone fails because the JA3/JA4 handshake still says "script." See TLS fingerprinting.
  3. Render like a real browser when the rule checks for JavaScript execution — a full headless browser or a managed API that runs one.

Why a single fix rarely works
1020 rules usually combine signals (IP and fingerprint and behavior). Fixing one leaves the others matching. A managed scraping API that aligns IP reputation, headers, and TLS together handles this more consistently than fixing one signal at a time.

1020 vs 1015 vs a 403

Error 1015

  • Temporary rate limit
  • "You are being rate limited"
  • Clears on its own after a cooldown
  • Fix: slow down, rotate IPs

Error 1020

  • Firewall / WAF rule match
  • "Access denied"
  • Does not clear by waiting
  • Fix: change IP reputation + fingerprint

Plain 403

  • From the origin server, not Cloudflare
  • Permissions, auth, or origin WAF
  • No Cloudflare ray-ID branding
  • Fix: headers, cookies, auth

Confirm it's really 1020 by looking for the Cloudflare-branded page and a Ray ID. If there's no Cloudflare branding, treat it as an ordinary 403 Forbidden instead.

Related terms

What Is Cloudflare Error 1015?
Cloudflare error 1015 "You are being rate limited" means a website is blocking you because you sent too many requests too quickly. The site …
What Is the 403 Status Code (403 Forbidden Error)?
HTTP 403 Forbidden means the server understood your request but refuses to answer it. The difference from 401 is simple: 401 means "we don't…
What Is the 429 Status Code (429 Error)?
HTTP 429 Too Many Requests is the status code a server returns when a client has sent more requests in a given window than the server's rate…
What Is a Rotating Proxy?
A rotating proxy is a proxy service that automatically gives each request — or each new session — a different outbound IP address, picked fr…
What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challeng…
What Is TLS Fingerprinting (JA3/JA4)?
TLS fingerprinting is a way to recognize what software made a connection just by looking at how it sets up encryption — before the server re…

Concept map

How Cloudflare Error 1020 (Access Denied) connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · HTTP Errors
Building map…

Tools & solutions for this topic

Frequently asked questions

Why am I getting Cloudflare Error 1020?

A firewall rule on the site matched your request. The usual causes are a low-reputation IP (datacenter, VPN, or recycled proxy), a bot-like fingerprint (missing browser headers or a TLS handshake that does not match your User-Agent), or a geo/ASN rule that blocks your network. It is a deliberate block, not a rate limit.

How is Error 1020 different from 1015?

1015 is a temporary rate limit that clears on its own once you slow down. 1020 is a firewall rule match that says "access denied" and does not clear by waiting — you have to stop matching the rule by improving your IP reputation and browser fingerprint.

Does waiting fix a 1020 error?

Usually no. Because 1020 is a rule match rather than a cooldown, the same request will keep being denied until what the rule keys on changes — most often the IP reputation and the request fingerprint.

Can rotating proxies alone fix 1020?

Sometimes, if the rule is purely IP-based. But most 1020 rules combine IP reputation with fingerprint and behavior checks, so clean IPs plus a real browser profile (headers + matching TLS) are needed together. A managed scraping API aligns all three.

Last updated: 2026-06-08