Error 1020 is Cloudflare's "Access Denied" response: your request matched a custom firewall rule the site owner configured, and Cloudflare stopped it before it reached the origin. It's a deliberate block, not a site outage — the site works fine for anyone the rule doesn't match.
How to recognize it
A 1020 page carries the Cloudflare logo, "Access denied" as the headline, and a Ray ID at the bottom (e.g. Ray ID: 8a8b9c1d2e3f). The HTTP response is 403 Forbidden. The page source includes the literal string "Error 1020" and "Cloudflare Ray ID".
1020 vs other Cloudflare error codes
Cloudflare's custom error codes are grouped by cause. Knowing which one you're looking at narrows the fix:
| Code | Meaning | Who blocked you |
|---|---|---|
| 1006 / 1007 / 1008 | IP banned | Site owner's firewall |
| 1010 | Browser integrity check failed | Cloudflare (bot detection) |
| 1015 | Rate-limit threshold | Site owner's rate limiter |
| 1020 | Firewall rule block | Site owner's firewall |
| 1023 | Host unreachable | Cloudflare / origin down |
1020 is almost always the site owner's configuration, not a general Cloudflare problem.
Why site owners trigger 1020
Common custom-rule patterns that produce a 1020:
- Country block. The site blocks requests from your country (or allows only a small whitelist). Common for internal tools, compliance-bound SaaS, or small sites fending off scrapers.
- User-agent block. Requests with curl, wget, scraping frameworks, headless Chrome signatures, or missing/blank User-Agent headers.
- IP reputation. Your IP sits on a shared blocklist (Spamhaus, Tor exit registry, known VPN exit ranges).
- ASN block. Entire hosting-provider ranges (DigitalOcean, OVH, Hetzner) get blanket-blocked when a site has a scraper problem.
- Path-level rules. Specific endpoints like
/admin,/api/*, or/wp-login.phprestricted to approved sources. - JA3 / TLS fingerprint. Non-browser TLS fingerprints get blocked. This catches most HTTP libraries including
requests,okhttp, andreqwest.
How to tell whether it's just you
Run the target through a multi-region check at isitdown.io. If all 4 regions return healthy 2xx responses, the block is specific to your IP / ASN / country / user-agent. If some regions see 1020 and others don't, the rule is geography-scoped. The is-it-down diagnostic walks through the same pattern for outages generally.
User-side fixes
Try in order, cheapest first:
- Different browser. Rules out browser-fingerprint triggers and cached state.
- Mobile data. A completely different network + IP tells you whether the ban is IP-scoped.
- VPN exit in another country. If the rule is country-scoped, pick a country where the service is normally available.
- Reset your connection. If your IP was flagged by a shared blocklist, reconnecting often assigns a fresh IP from a different range.
If none of those work, the block is stable (your ASN, your corporate IP range, a persistent rule) and only the site owner can remove it.
What to do with the Ray ID
The Ray ID is a unique identifier for your blocked request. If you contact the site owner, include it — they can search for the exact request in their Cloudflare dashboard and see which rule fired. Without it they have no way to diagnose your specific case.
A Ray ID is not sensitive. You can email it or paste it into support tickets safely.
Site-owner side: debugging a 1020
In the Cloudflare dashboard:
- Go to Security → Events.
- Filter
Action: Blockand search the Ray ID the user reported. - The matching event shows which rule fired, including the rule name and the matched criteria (country, IP, user-agent, or expression).
- If the rule is firing on legitimate traffic, edit it or add an exception.
Common false-positive patterns to watch for:
- Overly broad country blocks catching legitimate users on VPNs.
- User-agent blocks catching Slack link previews, GitHub OG crawlers, RSS readers, and search-engine bots.
- IP-reputation thresholds set too low (most scored IPs are not actually malicious).
FAQ
Is 1020 a Cloudflare outage?
No. 1020 means the origin site is reachable and your specific request was blocked by the site owner's firewall rule. The site works for users the rule doesn't match.
Can I bypass 1020 permanently?
Only if the site owner removes the rule or whitelists you. A VPN or different IP is a per-session workaround, not a permanent fix.
Does 1020 mean my computer is compromised?
Usually no. It most often means your IP is on a shared blocklist because some other user on your ISP's IP range previously did something flagged. Anti-virus doesn't help; you need a different IP.
Why do I only see 1020 on some sites?
Because each Cloudflare-fronted site has its own firewall rules. A rule on site A doesn't apply to site B.