Introduction

Cloudflare Error 1020 means the request reached Cloudflare, but a security rule at the edge decided the visitor should be blocked. The site may still be online and healthy. The real fix is to identify which rule is firing and narrow it so legitimate traffic can pass without weakening protection across the whole zone.

Symptoms

  • Visitors see Error 1020 Access Denied before the page loads
  • Only some countries, networks, or devices are blocked
  • Admins can load the site from one IP but not another
  • The issue started after adding firewall rules, bot protection changes, or WAF tuning
  • Cloudflare analytics show requests reaching the edge but not the origin

Common Causes

  • A custom firewall rule blocks a path, country, ASN, IP range, or request pattern too broadly
  • Rate limiting or bot protections classify real users as suspicious
  • Managed WAF rules challenge or block traffic that your application legitimately generates
  • IP access rules or geoblocking policies were tightened without exception handling
  • A stale security rule still targets a problem that has already been fixed

Step-by-Step Fix

  1. Reproduce the block with the affected URL, timestamp, IP, country, and user agent so you can match the event in Cloudflare logs.
  2. Review Security Events in Cloudflare first to find the exact rule, action, and field values that triggered the block.
  3. Check custom firewall rules, rate limits, bot settings, and managed WAF actions to see which control actually owns the denial.
  4. Compare blocked requests with allowed ones so you can identify whether the trigger is geography, path, header pattern, IP reputation, or request volume.
  5. Narrow the offending rule instead of disabling security globally, for example by excluding a known path, trusted ASN, verified bot, or internal IP range.
  6. If bot or rate-limit protections are involved, tune thresholds and detection scope so normal login, checkout, API, or admin behavior no longer looks abusive.
  7. Retest from an affected network or with the same request pattern to confirm the block is removed only for legitimate traffic.
  8. Keep temporary exceptions as tight as possible and document why they exist so they do not become permanent blind spots.
  9. Monitor Security Events and origin logs afterward to confirm the original unwanted traffic is still controlled while real visitors can load the site.