Error 1015 is Cloudflare's rate-limit response: the site owner configured a per-IP request-rate threshold and you've crossed it. Like 1020, the site itself is up — Cloudflare is gating you specifically, and it'll let you back in once the cooldown elapses.
How to recognize it
A 1015 page shows the Cloudflare logo, the text "You are being rate limited", the Ray ID, and an HTTP status of 429 Too Many Requests. The message often says "Error 1015" in small text near the bottom.
1015 vs 1020 vs other Cloudflare errors
Cloudflare's custom error codes look similar at a glance but mean different things:
| Code | Meaning | Time to recover |
|---|---|---|
| 1010 | Browser integrity check failed | Until you fix the browser/automation signal |
| 1015 | Rate limit threshold | Cooldown (seconds to minutes) |
| 1020 | Firewall rule block | Until rule is removed (or you bypass via VPN) |
| 1023 | Origin host unreachable | Once the origin recovers |
1015 is temporary by design. 1020 is a stable block; 1015 expires when your request rate drops.
Why site owners configure rate limits
Common reasons a site owner enables a Cloudflare rate-limit rule:
- Login/auth endpoints. Capping
/loginat e.g. 10 attempts per minute per IP defeats credential stuffing. - Search and expensive APIs. Endpoints that fan out to a database or third-party API need protection so a single client can't run up the bill.
- Scraping defence. Public catalog and product pages are favorite scraper targets; a 100-req/min cap stops most scripts cold.
- Comment/form spam. Limiting POSTs to
/contactor/commentkills the easy automated abuse. - DDoS mitigation. Cloudflare's automatic DDoS protection often lays down rate limits dynamically when it detects an attack.
How to tell whether it's just you
A 1015 affects the IP that crossed the threshold, not the site overall. Run a multi-region check at isitdown.io. If three regions return healthy 2xx and one returns 1015, you're hitting a regional edge cooldown. If all four are healthy, only your IP is throttled.
User-side fixes
Try in order:
- Wait. The simplest and almost always correct answer. Most 1015 cooldowns are 30 seconds to 5 minutes.
- Stop whatever automation triggered it. If you're hitting an API in a script, the script is probably running too fast. Add backoff (how to back off properly).
- Different IP. Mobile data, a VPN, or reconnecting your home router (if you have a dynamic IP) usually gets you a fresh quota.
- Authenticate. Many sites apply tighter limits to anonymous traffic and looser limits to logged-in users — sign in if you have an account.
Site-owner side: configuring 1015
In the Cloudflare dashboard, rate limits live under Security → WAF → Rate limiting rules. The defaults to think about:
- Threshold and window. "100 requests per 60 seconds per IP" is a reasonable default for most public endpoints. Tune down (10/60s) for login/sensitive paths.
- Action. "Block" returns 1015. "Challenge" presents a CAPTCHA. "Log" only records — useful for tuning before enforcing.
- Mitigation timeout. How long the IP stays blocked after crossing the threshold. 60 seconds is a friendly default; 10 minutes is appropriate for login endpoints.
- Counting expression. Don't apply rate limits to static assets — limit by path, method, or specific endpoints, not the whole hostname.
Common mistakes when configuring 1015
- Rate limiting
/static/*or favicons. A normal page load can pull 30+ assets, easily tripping a per-IP limit. - Too tight a window for HTML pages. "10 requests per minute" sounds reasonable until you remember that opening a tab for 5 minutes might trigger background polling, prefetch, and analytics calls.
- No allow-list for known good crawlers. Googlebot and Bingbot don't crawl slowly. If you don't allow-list them, you'll quietly de-index yourself.
- Mitigation timeout too long. A 1-hour block is fine for a confirmed attacker but punishing for a legitimate user who clicked refresh four times.
FAQ
How long does a 1015 cooldown last?
Whatever the site owner configured. The default is 60 seconds, but it can be set to anything from 10 seconds to several hours.
Will a VPN bypass 1015?
Usually yes — a VPN gives you a different exit IP, and 1015 is per-IP. The exception: some sites maintain shared block lists of known VPN ranges that get blanket-blocked separately (a 1020, not 1015).
Why do I see 1015 on a site I've never visited before?
Two common causes: (1) your IP is shared with someone who triggered the limit (NAT, VPN, mobile carrier-grade NAT), or (2) the site has an aggressive global-rate-limit rule that catches first-visit traffic.
Is 1015 a Cloudflare bug?
No. 1015 is a deliberate response from a rate-limit rule the site owner enabled. If you think it's misconfigured, contact the site owner with the Ray ID — they can see the exact rule that fired.