An error code 1020 means Cloudflare's Security Firewall blocked your request because something about it violated firewall rules set by the website's owner.
The right solution depends on whether you’re just trying to load a webpage or running a web scraping script.
This guide covers both scenarios.
What is error code 1020?
Every website that’s protected by Cloudflare sits behind a security layer called a Web Application Firewall (WAF).
The site owner configures rules in this firewall that decide who gets in and who gets blocked. Error code 1020 is the response Cloudflare sends when your request fails one of those rules.
The reason could be a suspicious IP address, a browser fingerprint that doesn't match a real browser, HTTP headers that look automated, missing cookie data, or simply being in a country or region the site owner has chosen to block.
What makes this error different from a typical server error is that nothing is broken. The site is online, the server is responding, and Cloudflare itself is working exactly as intended.
The firewall simply evaluated your request and rejected it, based on the site owner’s rules.
What causes error code 1020?
Some articles call 1020 a ‘ChatGPT error,’ but that’s just because ChatGPT is one of the sites that uses Cloudflare. Error 1020 is a firewall block that can happen on any website protected by Cloudflare, not something unique to ChatGPT. Here are the actual causes:
- Poor IP reputation: VPNs and datacenter IPs are shared by thousands of users, including bots and scrapers. Cloudflare assigns many of these IPs low trust scores, which can trigger an instant block even on a first visit.
- Bot traffic behavior: Scripts, headless browsers, and crawlers that send requests without proper browser headers or TLS fingerprints are identified and blocked.
- Browser extensions altering request headers: Extensions that modify User-Agent strings, block scripts, or spoof headers can distort a browser's digital fingerprint enough to resemble bot traffic.
- Disabled cookies: Cloudflare uses clearance cookies to verify that a visitor has passed a security challenge. If your cookies are disabled, the WAF can’t confirm that you’re a legitimate visitor.
- Shared IP addresses: If another user on the same IP has triggered a block through abusive behavior, the entire IP can be flagged, affecting everyone sharing it.
- Geographic restrictions: Site owners can configure Cloudflare to block traffic from specific countries or regions entirely.
- Web scraping: Scraping tools that send high volumes of requests without rotating IPs, mimicking real browser behavior, or managing clearance cookies are a primary target for WAF rules.
How to fix error code 1020 (for everyday users)
1. Turn off VPN services
VPNs route your traffic through shared datacenter IP addresses, and because thousands of users (and bots) use those same IPs, they often carry poor trust scores on Cloudflare's network. A single bad actor on a shared VPN server can get the entire IP flagged, which means you inherit their reputation. Disabling the VPN reveals your actual residential IP, which usually has a cleaner reputation.
2. Restart your network router
If you’re not using a VPN and still getting blocked, your own IP address may be the issue. Restarting the router will prompt your Internet Service Provider (ISP) to assign you a new IP with a clean reputation. This doesn’t always work because some ISPs use semi-static assignments that persist across reboots.
3. Make sure browser cookies are enabled
Cloudflare uses specific cookies to manage access. When you pass a security challenge, Cloudflare stores a cookie in your browser as proof that you’ve been verified. If your browser has cookies disabled or a privacy extension is blocking them, Cloudflare can’t verify your session, and the WAF is more likely to deny you access. Check your browser's privacy settings and make sure cookies are allowed for the site you’re trying to visit.
4. Deactivate browser extensions or switch browsers
Some browser extensions interfere with how your browser presents itself to websites, causing it to resemble illegal bots to Cloudflare. Try disabling all extensions and reloading the page. If the error disappears, turn extensions back on one at a time to find which one caused the block. Alternatively, open the same URL in a clean browser with no extensions installed, like a fresh Edge or Safari profile. If it loads, the problem is with your main browser's configuration.
5. Contact the site administrator with your Ray ID
If none of the above works, the block is likely caused by a specific firewall rule that only the site owner can change. Every 1020 error page includes a unique Ray ID at the bottom. This ID is a reference to the exact request that was blocked. Send it to the site administrator and ask them to look it up in their Cloudflare security log. From there, they can see exactly which rule flagged your request and decide whether to permit your IP or adjust the rule.
How to bypass Cloudflare error 1020 when web scraping
If you’re getting a 1020 while running scraping pipelines, the everyday user fixes above won’t help because Cloudflare is blocking your scraper's identity itself. Instead, follow the techniques below to resolve the block (NB: These methods aren't standalone fixes; the most effective bypass techniques are a combination of foundational and advanced strategies):
1. Match your TLS fingerprint to a real browser
Before Cloudflare even looks at your HTTP headers, it analyzes the TLS handshake your client initiates. Using JA3/JA4 fingerprinting, it profiles your client based on cipher suites, extensions, and elliptic curves.
If that fingerprint doesn't match a real browser, the request gets blocked.
Standard libraries like Python's requests, Go's net/http, and Node's axios all produce TLS fingerprints that are easy to differentiate from real browsers.
Instead, use client libraries like curl_cffi (Python), got-scraping (Node.js), or utls (Go) that’ll help you better match browser-like handshake behavior.
Here's how a request looks using Python's curl_cffi with a Chrome TLS fingerprint:
from curl_cffi import requests
response = requests.get(
"<https://example.com>",
impersonate="chrome",
)
print(response.status_code)
And the equivalent using got-scraping in Node.js:
import { gotScraping } from 'got-scraping';
const response = await gotScraping({
url: '<https://example.com>',
headerGeneratorOptions: {
browsers: ['chrome'],
operatingSystems: ['windows'],
},
});
console.log(response.statusCode);
2. Replicate the full HTTP/2 header structure of a real browser
Cloudflare also inspects HTTP/2 header frames, including pseudo headers like:method, :authority, :scheme, :path) and their ordering. If the structure matches a known HTTP library but the User Agent says Chrome, this mismatch can trigger a block.
Your headers must also be internally consistent. Chromium browsers send Sec-Ch-Ua, Sec-Ch-Ua-Mobile, and Sec-Ch-Ua-Platform. Firefox doesn't. Mixing Chromium Client Hints with a Firefox User Agent, or omitting headers the claimed browser would normally send, signals “automation”.
The safest approach is navigating to the Network tab in DevTools, copying the exact headers from a real browser request, and replicating them in your scraper exactly, including the order.
3. Route traffic through residential proxies
Cloudflare assigns trust scores to IP addresses based on their origin. Traditional datacenter IPs from AWS or DigitalOcean get flagged instantly because real users don’t browse from server farms. Rotating datacenter IPs will only trigger more 1020 blocks.
Residential proxies, however, route traffic through real IP addresses that belong to actual households. These generally carry higher trust scores on Cloudflare’s network.
But Cloudflare keeps improving its detection defenses, targeting residential proxy networks by combining network-wide traffic data with client-side fingerprints collected from solved challenges across its network.
This means the quality of your proxies matters more than ever. Cheap, widely shared residential proxies are more likely to be detected, so invest in reputable proxy providers with large, diverse pools and low per IP usage density.
If you must use datacenter IPs, look for "ISP Proxies" (also called Static Residential). They are hosted in datacenters but use residential ASN tags to trick reputation systems
4. Use stealth-modified browser automation
Browser automation is a valid bypass approach, but using Selenium, Playwright, or Puppeteer out of the box is one of the fastest ways to get detected. They leave signatures that Cloudflare can easily spot.
To use browser automation effectively, you need stealth tools like undetected chromedriver, Nodriver, or Camoufox to suppress WebDriver flags and mask your automation signatures.
Running in headed mode (with a visible browser window) also helps, because headless environments produce fingerprint differences that detection systems can identify.
5. Handle Cloudflare Turnstile challenges
Cloudflare replaced CAPTCHA challenges with Turnstile, a non-interactive challenge system that runs JavaScript in the background, analyzing browser environment, proof of work results, and interaction patterns.
Because Turnstile operates through JavaScript rather than visual puzzles, traditional CAPTCHA solving services won’t apply here.
To handle Turnstile, you can use a real browser environment to execute the challenge natively, or a third-party API like CapSolver to generate a token, provided your scraper also maintains a legitimate, consistent fingerprint to submit that token.
6. Maintain cookies and session state
Cloudflare uses cf_clearance to record that a visitor passed a challenge and __cf_bm as part of its bot management system. If your scraper discards cookies between requests, every single request is evaluated as a brand new visitor, forcing Cloudflare to verify you from scratch each time. This increases the chance of triggering a 1020.
Maintain a persistent cookie jar across all requests within a session. With rotating proxies, you need to bind each proxy IP to its own cookie jar so the cookies stay consistent with the IP address Cloudflare sees.
7. Validate your data against AI Labyrinth honeypots
Bypassing a 1020 block doesn’t guarantee you’re extracting real data. Cloudflare’s recent AI Labyrinth feature embeds hidden links on pages leading to AI-generated decoy content.
These links are invisible to human visitors but are designed to lure automated crawlers deeper into a maze of irrelevant pages, wasting your scraper's time and resources on useless data.
To detect if your scraper has been redirected into an AI labyrinth, monitor for content that is topically unrelated to the site you are targeting, URL paths that were not present in the site's original navigation, and sudden increases in extraction volume without a corresponding increase in meaningful data.
Next, build circuit breakers directly into your pipeline that enforce session depth limits, use strict regex lists to filter unexpected URL structure, and a small AI model to check if the text you’re scraping actually matches your target topic.
8. Use a managed scraping platform
Handling TLS fingerprints, HTTP/2 headers, residential proxies, cookie persistence, Turnstile solving, and behavioral pacing simultaneously is a burden. Failing on even one layer can trigger a block from Cloudflare. Apify's residential proxies provide high-trust-score IPs, while its open-source library, Crawlee, automates session management, proxy rotation, and browser fingerprinting.
To bypass modern Cloudflare protections, Apify natively supports Camoufox through official templates, allowing Crawlee’s built-in handleCloudflareChallenge() helper to automatically solve Cloudflare's toughest security checks for you.
Apify Store also features pre-built Actors like Cloudflare Web Scraper that already handle Cloudflare-protected sites without requiring custom bypass code.
When evaluating any scraping platform, the minimum you should look for in 2026 is native TLS fingerprint management and Turnstile challenge support. Proxy rotation and header spoofing alone are no longer enough.
Conclusion
Error code 1020 is ultimately Cloudflare telling you that something about your request doesn't look human. But, in 2026, what counts as "looking human" has gotten significantly harder.
The most reliable fix is either building a bypass pipeline that handles every detection layer simultaneously, or using services like Apify that already do; Apify Proxy routes your traffic through residential IPs with high trust scores on Cloudflare's network, while Crawlee handles browser fingerprint management, session persistence, and automatic Cloudflare challenge solving.
Explore both now to see how they fit into your workflow.
