Introduction

If Cloudflare can reach the origin but receives a 403 response, the problem is usually not DNS or basic connectivity. Something at the origin is actively refusing the request. That can come from firewall rules, host validation, WAF policies, security plugins, or origin authentication that was not designed for Cloudflare proxy traffic. The fix is to identify which control is denying the request and why.

Symptoms

  • Visitors see a proxied error even though the origin server is online
  • Direct requests to the origin IP or internal hostname behave differently
  • Only some paths or hostnames return 403 through Cloudflare
  • The issue started after enabling a firewall, WAF, or security plugin
  • Origin logs show denied requests from Cloudflare IP ranges or unexpected hostnames

Common Causes

  • The origin firewall blocks Cloudflare proxy IP ranges
  • Host header validation rejects the hostname Cloudflare sends upstream
  • ModSecurity, server WAF, or app security rules challenge normal requests
  • Origin access controls require authentication or an allowlist that Cloudflare does not satisfy
  • A plugin or application rule blocks Cloudflare requests that look automated or unusual

Step-by-Step Fix

  1. Confirm the response is truly generated by the origin and not by a Cloudflare edge security feature.
  2. Check origin access logs and security logs for the denied request, including path, host header, and the action that triggered the 403.
  3. Verify the origin firewall or host provider allows Cloudflare proxy IP ranges where appropriate.
  4. Review web server virtual host rules, host header checks, and backend routing so the expected hostname is accepted.
  5. Inspect WAF, bot protection, or security plugin rules that may block the specific path, method, or request pattern.
  6. If the origin is protected by an allowlist or access token, make sure Cloudflare-origin requests satisfy that requirement consistently.
  7. Re-test the affected hostname and path through Cloudflare after adjusting the blocking control, not by disabling multiple security layers at once.
  8. Compare results for static assets, HTML pages, and admin paths if only part of the site was failing.
  9. Keep the final rule set explicit so Cloudflare proxy traffic is permitted without weakening unrelated origin protections.