Fixing Cloudflare Error 1020 Access Denied in ASP.NET Core Apps

Apr 2, 2024 ยท 4 min read

Cloudflare provides a helpful layer of security and performance for websites and APIs hosted on ASP.NET Core. However, you may encounter the frustrating Error 1020 Access Denied at times.

This article covers common reasons for the error, troubleshooting steps, and configuration tips to resolve Error 1020 in ASP.NET Core apps protected by Cloudflare.

Why Does the Error 1020 Access Denied Happen?

Cloudflare generates the 1020 error for security reasons - to block traffic it judges as suspicious or malicious. Some common trigger reasons:

  • The visitor's IP address has a poor reputation or is outright banned for past malicious behavior.
  • An automated bot or script is sending excessive traffic violating Cloudflare policies.
  • The HTTP headers, user agent strings, or request patterns seem irregular.
  • The error is Cloudflare's way of protecting the origin server from potential attacks or abuse.

    However, legitimate users can also inadvertently trigger the block. The key is figuring out why and tweaking the Cloudflare or app config.

    Troubleshooting Steps

    Follow these steps to troubleshoot and fix Cloudflare's Error 1020 access denied:

    1. Check Cloudflare Dashboard

    First, log into the Cloudflare dashboard and browse to the domain causing issues. Inspect the analytics and security event logs for clues.

    See if any unusual traffic spikes, security threats, or banned IP addresses stand out around the times users reported Error 1020.

    2. Adjust Cloudflare Settings

    If suspicious requests are evident, tweak Cloudflare settings to filter better. For instance, enable the IP Access Rules or adjust the Rate Limiting policies.

    Conversely, relax restrictions if legitimate user traffic seems blocked. Find the optimal thresholds between security and access.

    3. Verify API Keys

    For APIs/apps making calls to a Cloudflare-protected domain, confirm the API keys/tokens are valid.

    Inadvertently using an expired or incorrect API key is a common cause of Error 1020 access denied.

    4. Check User Agent Strings

    Certain user agent strings from uncommon libraries/tools can trigger Cloudflare blocks.

    For API clients, try setting the user agent to a popular web browser's string as a test.

    For web visitors, if a niche browser or tool triggers it, not much you can do. Consider having Cloudflare support adjust the sensitivity thresholds.

    5. Try Alternate IP Addresses

    If the issue seems isolated to certain visitor IP addresses, try having affected users access via alternate internet connections and mobile networks.

    If those IPs work, it suggests Cloudflare banned their regular IP for past suspicious behavior. Not much can be done aside from requesting Cloudflare to whitelist the address if you're certain it's not a threat.

    6. Temporarily Bypass Cloudflare

    As a last resort, you can advise affected legitimate users to add the domain to their local hosts file, bypassing Cloudflare temporarily.

    Try mapping the Cloudflare domain name like to your origin server's actual IP address. This will directly connect users to the server, skipping Cloudflare checks.

    If that fixes Error 1020, it reinforces Cloudflare itself is the issue, not your app config.

    ASP.NET Core Config Tips

    Aside from Cloudflare settings, also check these ASP.NET app config areas:

  • CORS Policies: Overly restrictive CORS policies can block legitimate user traffic. Confirm they are set properly.
  • API Authorization: Like API keys, ensure token validation or other authorization criteria isn't blocking valid users.
  • Rate Limiting: If implementing custom rate limiting in app code itself, review the thresholds aren't overly aggressive.
  • IP Address Filtering: Like Cloudflare, app-level IP filters can also inadvertently block users.
  • Adjust policies to be more permissive initially and tighten gradually as needed.


    In review, Cloudflare's Error 1020 Access Denied commonly stems from overzealous security rule configurations.

    1. First inspect the Cloudflare dashboard for clues on what exactly is triggering the blocks.
    2. Then tweak Cloudflare policies to achieve the right balance between security and access.
    3. Also verify API keys are valid and try alternate user IP addresses.
    4. For ASP.NET apps, double check CORS, authorization, and IP filtering policies aren't overly restrictive.

    Isolating the root cause requires trial and error, but being methodical usually reveals what combination of Cloudflare and app policies need adjustment.

    Hopefully these troubleshooting tips help resolve frustrating 1020 access errors!

    Browse by language:

    The easiest way to do Web Scraping

    Get HTML from any page with a simple API call. We handle proxy rotation, browser identities, automatic retries, CAPTCHAs, JavaScript rendering, etc automatically for you

    Try ProxiesAPI for free

    curl ""

    <!doctype html>
        <title>Example Domain</title>
        <meta charset="utf-8" />
        <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />


    Don't leave just yet!

    Enter your email below to claim your free API key: