Skip to content
Pricing RU Sign In
RU
← All articles
Monitoring

Cloudflare Error 1020 Access Denied Fix

Published: 23.06.2026 · ~4 min · 28 views

Short answer. Error 1020 Access Denied means a Cloudflare security rule blocked the request — WAF, a Firewall Rule, an IP Access Rule, or rate limiting. It is a deliberate block, not a server failure. If you are a visitor, try disabling your VPN, switching networks, or changing browsers. If you own the site, find the triggered rule in Cloudflare Security Events and adjust it.

What Error 1020 is

1020 is Cloudflare's code for "access denied by a security rule." Unlike 522/525 (origin-connectivity problems), 1020 is intentional: Cloudflare chose not to pass the request based on a configured rule. The site is alive — this specific request was blocked.

1020 is a security policy, not a breakage. Someone (you or your admin) configured a rule, and the current request matched it.

If you are a visitor

  1. Disable your VPN or proxy — they often fall under IP/country blocks.
  2. Switch networks: move from Wi-Fi to mobile data.
  3. Clear the site's cookies and try an incognito window.
  4. Check whether a browser extension is altering requests (User-Agent, headers).
  5. If nothing helps, contact the site owner and quote the Ray ID from the error page.

If you own the site

Find which rule fired. Cloudflare logs every block:

  • Cloudflare panel → Security → Events (formerly Firewall → Events).
  • Filter by Action = Block and by the incident time.
  • Find the entry with the right Ray ID — it shows which rule (WAF Managed Rule, Custom Rule, IP Access Rule, Rate Limit) triggered.

Common sources of 1020

Block sourceWhat to check / how to fix
Custom Firewall RuleSecurity → WAF → Custom rules: a rule by country, ASN, User-Agent
IP Access RuleSecurity → Tools: an explicit block by IP/range
Managed WAF RuleAn OWASP ruleset fired on a legitimate request — add an exception
Rate LimitingToo many requests from one IP — raise the limit or exclude it
Bot Fight ModeBlocked a bot/script — add it to the allowlist

Step by step: clear a false block

  1. Open Security → Events and find the block by Ray ID.
  2. Look at the "Rule" field — that is the name of the triggered rule.
  3. If it is legitimate traffic, create a higher-priority Skip/Allow rule or a WAF exception.
  4. For your own scripts and monitoring, add their IPs to IP Access Rules as Allow.
  5. Inspect your client's headers and User-Agent — an empty UA often triggers the WAF.
Do not disable the entire WAF over one false positive. A targeted exception by IP or rule keeps protection in place and removes the 1020.

Reproduce it with curl

To reproduce the block and learn which header the WAF reacts to:

# Basic request — you'll see 1020 in the body and a 403 code:
curl -Iv https://example.com/

# With a normal User-Agent (WAF often blocks an empty UA):
curl -A "Mozilla/5.0" -I https://example.com/

# Check for a country/IP block — from a different IP/VPN:
curl --resolve example.com:443:104.16.0.1 -I https://example.com/

How enterno.io helps

If your monitoring or script catches 1020, it often means Cloudflare is blocking that very client. The enterno.io HTTP checker and uptime monitoring show the response code and the page body, so you see the 1020 and Ray ID immediately. Multi-region checks (RU/EU/US) help reveal whether Cloudflare blocks by geography — if one region returns 1020 and another returns 200, a country rule is at play. enterno.io diagnoses and warns; the WAF/Firewall rule is configured by the owner in the Cloudflare panel. To keep monitoring from being blocked, add its IPs to the Cloudflare allowlist.

FAQ

Is 1020 a virus or a hack?

No. It is a block by a Cloudflare security rule. It sometimes fires on legitimate traffic (a false positive).

Why does the site open on my phone but not my computer?

Most likely a block on your home ISP's IP, your network, or a VPN/extension. Mobile data uses a different IP.

What is a Ray ID and why does it matter?

A Ray ID is a unique request identifier. The owner uses it to find the exact Security Events entry and see which rule fired.

Can I add an exception without disabling protection?

Yes. Create a Skip/Allow rule or an IP Access Rule for the specific IP — the rest of the protection keeps working.

Next step: Check the response code with the HTTP checker to see the 1020 and Ray ID. See also diagnosing intermittent downtime and set up monitoring.

Check your website right now

Check your site →
More articles: Monitoring
Monitoring
DMARC in 2026: Gmail/Yahoo Enforcement
15.06.2026 · 44 views
Monitoring
Incident Postmortem Guide
22.06.2026 · 65 views
Monitoring
Cron Job Monitoring: Dead Man's Switch
15.06.2026 · 37 views
Monitoring
Russia's Internet Blocklist in Numbers: 131,000 Blocked Domains Analyzed (2026)
26.06.2026 · 29 views

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation