Cloudflare Error 1020: Access Denied Fix

A Cloudflare Error 1020 means a Cloudflare firewall rule has blocked the request. Unlike server-level errors (520, 521, 522), a 1020 is Cloudflare itself refusing to let the request through to your origin server. It's a security measure — Cloudflare evaluated the request against your firewall rules and decided it looked suspicious or matched a block rule.

This error affects both legitimate visitors who get caught by overly aggressive rules and site owners who need to fine-tune their security settings. Here's how to diagnose and fix it from both sides.

What Does a Cloudflare Error 1020 Mean?

Cloudflare sits between your visitors and your origin server. Before forwarding a request, it checks it against several layers of security:

• WAF (Web Application Firewall) rules — both managed rules and your custom rules.
• Firewall rules — custom rules you've created based on IP, country, ASN, URI, user agent, etc.
• Rate limiting rules — threshold-based rules that block excessive requests.
• Bot management — rules targeting automated traffic.
• IP Access Rules — explicit IP allow/block lists.

A 1020 means one of these layers blocked the request. The error page sometimes includes a Ray ID — a unique identifier for that specific blocked request that you can use to find the exact rule that triggered it.

This is fundamentally different from a 403 Forbidden error from your origin server. A 403 means your web server rejected the request. A 1020 means Cloudflare rejected it before it ever reached your server.

Common Causes of a Cloudflare Error 1020

1. Overly Aggressive Firewall Rules

The most common cause for site owners. A custom firewall rule is too broad and blocks legitimate traffic. For example, blocking an entire country when you only meant to block a specific IP range, or blocking a user agent string that matches legitimate browsers.

2. IP Reputation or Threat Score

Cloudflare assigns a threat score to every IP address. If a visitor's IP has a high threat score (associated with spam, attacks, or suspicious activity), firewall rules that reference threat scores can block them.

3. Bot Detection False Positives

Cloudflare's bot management can misidentify legitimate automated traffic as malicious. This commonly affects:

• SEO crawlers other than Googlebot.
• Monitoring services checking your site.
• API consumers accessing your endpoints.
• Automated testing tools (Selenium, Playwright, etc.).

4. Country-Based Blocking

If you've set firewall rules to block traffic from specific countries, legitimate users from those countries (or users whose VPN exits in those countries) will see 1020.

5. Managed WAF Rules

Cloudflare's managed WAF ruleset can trigger on requests that look like SQL injection, XSS, or other attack patterns — even if the request is legitimate. This happens when URLs or form data contain characters that match attack signatures.

6. Rate Limiting

If you've configured rate limiting rules, legitimate users who make many requests in a short period (e.g., rapidly browsing multiple pages) can trigger a 1020.

How to Fix a Cloudflare Error 1020

As a Site Owner

Step 1: Find the Blocking Rule

Use the Ray ID from the error page to identify which rule triggered the block:

1. In the Cloudflare dashboard, go to Security > Events.
2. Search for the Ray ID or filter by action "Block" and status code "1020".
3. The event log will show exactly which rule blocked the request and why.

You can also check recent blocks:

# Using the Cloudflare API to check firewall events
curl -s "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/security/events?limit=10" \
    -H "Authorization: Bearer YOUR_API_TOKEN" \
    -H "Content-Type: application/json" | jq '.result[] | {ray_id, action, source, ip: .clientIP}'

Step 2: Adjust the Firewall Rule

Once you've identified the offending rule, modify it to be less aggressive. Common adjustments:

• Narrow the scope: Instead of blocking an entire country, block specific IP ranges within that country.
• Change the action: Switch from "Block" to "Challenge" (CAPTCHA) so legitimate users can still access the site.
• Add exceptions: Create an allow rule for specific IPs, user agents, or URI paths that should bypass the block.

In the Cloudflare dashboard under Security > WAF > Custom rules, edit the rule to add exceptions:

# Example: Block a country but allow specific IPs
(ip.geoip.country eq "XX" and not ip.src in {203.0.113.0/24 198.51.100.0/24})

Step 3: Whitelist Legitimate Services

Add known-good services to your IP Access Rules (Security > WAF > Tools):

• Your own office IP addresses.
• Monitoring services like Domain Monitor.
• Payment processors and webhook sources.
• Partner API consumers.

# Whitelist an IP via Cloudflare API
curl -X POST "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/firewall/access_rules/rules" \
    -H "Authorization: Bearer YOUR_API_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
        "mode": "whitelist",
        "configuration": {
            "target": "ip",
            "value": "203.0.113.5"
        },
        "notes": "Monitoring service"
    }'

Step 4: Review Managed WAF Rules

If managed rules are causing false positives:

1. Go to Security > WAF > Managed rules.
2. Find the specific rule that's triggering.
3. Set it to "Log" instead of "Block" to stop blocking while you investigate.
4. Once confirmed as a false positive, you can disable that specific rule or create an exception.

Step 5: Tune Bot Management

If legitimate bots are being blocked:

1. Go to Security > Bots.
2. Review the bot fight mode settings.
3. Add verified bots to your allow list.
4. For API endpoints, consider creating a firewall rule that skips bot checks for specific paths.

As a Visitor

If you're a visitor seeing a 1020 error on someone else's site:

1. Disable your VPN — your VPN's exit IP might be flagged or in a blocked country.
2. Clear your cookies — sometimes stale cookies trigger security rules.
3. Try a different network — your IP might have a poor reputation. Switch to mobile data or a different Wi-Fi network.
4. Contact the site owner — provide the Ray ID from the error page so they can investigate the specific rule that blocked you.
5. Wait and retry — if it's rate limiting, the block may be temporary.

How Domain Monitor Can Help

If your Cloudflare firewall rules are too aggressive, they might block legitimate visitors — including search engine crawlers and monitoring services — without you realising it. A misconfigured rule can effectively take your site offline for a segment of your users while it appears perfectly fine from your own browser.

Domain Monitor checks your site every minute from multiple locations around the world. If a Cloudflare firewall rule starts blocking requests from any of these locations, you'll be alerted immediately via email, SMS, or Slack. This is especially valuable for catching overly broad country blocks or IP reputation rules that affect real visitors. Set up downtime alerts for your key pages so you know the moment Cloudflare starts blocking traffic that should be allowed through. Regular website monitoring from diverse locations ensures you see your site the way your global audience does.

Quick Summary

A 1020 is Cloudflare doing its job — protecting your site. The key is making sure it's not overprotecting and blocking the people you actually want to reach. Use the Security Events log to find exactly what's triggering blocks, then fine-tune your rules to let legitimate traffic through while still stopping the bad.

Related Articles

• 403 Forbidden Error - What It Means and How to Fix It
• Cloudflare Error 521
• Cloudflare Error 522
• Cloudflare Error 520 - Web Server Returning Unknown Error
• Most Common Website HTTP Error Codes