Introduction

A Cloudflare redirect loop happens when the edge and the origin keep sending visitors back and forth between HTTP and HTTPS, or between one hostname and another, without ever settling on a final page. The browser usually shows ERR_TOO_MANY_REDIRECTS, even though both Cloudflare and the origin may still be online.

Symptoms

  • Browsers show ERR_TOO_MANY_REDIRECTS when the site is proxied through Cloudflare
  • The site loads when Cloudflare is paused but fails when the proxy is enabled
  • The issue starts after enabling HTTPS redirects, Always Use HTTPS, or Flexible SSL
  • www and non-www versions keep bouncing between each other
  • Login pages or checkout flows get stuck in repeated redirects

Common Causes

  • Cloudflare SSL mode is set to Flexible while the origin already forces HTTPS
  • The origin redirects to a hostname or protocol that Cloudflare rewrites again
  • Multiple redirect layers exist in Cloudflare rules, the web server, and the app itself
  • www to apex or apex to www rules conflict across edge and origin
  • Cached redirect responses keep serving an older broken redirect path

Step-by-Step Fix

  1. Identify whether the loop is protocol-based, hostname-based, or application-based by tracing the redirect chain with browser tools or an HTTP header checker.
  2. In Cloudflare, review the current SSL mode and switch away from Flexible if the origin already supports HTTPS properly.
  3. Check whether Always Use HTTPS, Bulk Redirects, Redirect Rules, or Page Rules are duplicating logic that also exists on the origin.
  4. Review origin web server config, CMS URL settings, and app-level canonical redirect rules so there is only one authority for protocol and hostname enforcement.
  5. Make sure the site consistently prefers one canonical host, such as either example.com or www.example.com, instead of trying to enforce both in different layers.
  6. Clear Cloudflare cache and browser cookies if the loop touches login or session-sensitive routes.
  7. Test with Cloudflare temporarily paused only if needed to confirm whether the loop starts at the edge or at the origin.
  8. Re-enable proxying and retest the homepage, admin, and a few deep links after simplifying the redirect logic.
  9. Keep redirect ownership documented so future SSL or hostname changes do not recreate the same loop.