Troubleshooting Cloudflare 1020 Blocks with JMeter and Postman

Apr 2, 2024 ยท 3 min read

Cloudflare's 1020 error code indicates the request was blocked for potential malicious activity or violating bot protection rules. This can cause headaches when testing APIs with tools like JMeter or Postman. However, with a few tweaks you can get past the blocks and resume testing.

Why Cloudflare Blocks Automated Tools

Cloudflare aims to protect websites from attacks and abuse. Automated tools like JMeter and Postman can sometimes trigger the protections if sending too many requests too quickly or missing browser fingerprints. The 1020 block acts as a caution sign to slow things down.

Adjusting JMeter Settings

Here are some tips for configuring JMeter to avoid triggers:

  • Add HTTP Header Manager - Mimic a real browser by sending User-Agent, Accept-Language, and other headers.
  • Use HTTP Cookie Manager - Maintain and send back cookies like a normal browser.
  • Add HTTP Request Defaults - Set connect and response timeouts to mimic browsers.
  • Use CSV Data Set Config - Rotate through different IP addresses and user agents.
  • Insert Throughput Controllers - Limit overall requests per minute to stay under the radar. Start very low like 10/min and ramp up slowly.
  • Here is an example setup:

    HTTP Header Manager
    User-Agent: Mozilla/5.0 Firefox/87.0
    Accept-Language: en-US
    HTTP Cookie Manager
    HTTP Request Defaults
    Connect Timeout: 10000
    Response Timeout: 60000
    CSV Data Set Config
    ip_list.csv, user-agents.csv 
    Throughput Controller
    Max Requests Per Minute: 10

    Postman Settings to Avoid Blocks

    For Postman, enabling the Interceptor can help mimic a real browser:

  • Check "EnableInterceptor" on Settings
  • Select an appropriate Throttling Value
  • Add a Postman Proxy or Rotating Proxy to cycle different IP addresses
  • Also add Variabilities like different User-Agents and Languages. Start with a small runs first before larger load tests.

    Confirm It's a Cloudflare 1020 Block

    Before tweaking settings, confirm the issue is actually a 1020 block using a browser or cURL. For example:

    $ curl -I
    HTTP/2 1020 
    cache-control: no-cache
    content-type: text/html

    The 1020 status code indicates Cloudflare is blocking the request.

    Getting Unblocked After Tweaks

    After adjusting JMeter and Postman settings to mimic a browser, try your tests again starting slowly. The blocks should reduce or go away completely.

    If still blocked, you can contact the target website to whitelist the IP addresses used for testing.

    Caveats to Know

    A few things to keep in mind when troubleshooting 1020 errors:

  • Block durations start small but increase quickly if not throttled.
  • Blocking can be inconsistent even with the same requests.
  • Whitelists may expire without warning.
  • Heavy loads can still trigger blocks even if whitelisted.
  • So always check if you are blocked after making any major changes to tests.

    Key Takeaways

  • Cloudflare 1020 blocks automated testing tools to prevent abuse.
  • Mimic real browsers in JMeter and Postman.
  • Confirm blocks with curl before tweaking settings.
  • Ramp up load slowly.
  • Whitelist IPs if needed but understand limitations.
  • With the right tweaks you can minimize blocks and resume API testing through Cloudflare protections. Just take care to throttle traffic and not trigger the abuse alarms!

    Browse by language:

    The easiest way to do Web Scraping

    Get HTML from any page with a simple API call. We handle proxy rotation, browser identities, automatic retries, CAPTCHAs, JavaScript rendering, etc automatically for you

    Try ProxiesAPI for free

    curl ""

    <!doctype html>
        <title>Example Domain</title>
        <meta charset="utf-8" />
        <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />


    Don't leave just yet!

    Enter your email below to claim your free API key: