4xx Client Error
4xx codes are error responses that indicate an issue on the client's end, potentially due to a network problem.
4xxcodes can be used as a response to any request method.- The origin server should include an explanation, which should be displayed by the User-Agent, except in the case of a
HEADrequest. - Custom rules can return any response code in the range of
400–499on your HTML page if the site owner has created a rule with the Block action and configured a custom response code. For more details, refer to custom response.
This error indicates that the client sent a request to the server that could not be understood or processed due to issues with the request itself.
For more information, refer to RFC7231 ↗.
A 400 Bad Request error occurs due to client-side issues, such as malformed request syntax, invalid request content, message framing problems, or deceptive request routing. For example, if the request contains a special character that is not properly URL Encoded (or percent-encoded) ↗, an HTTP Error 400 will be returned.
If you encounter an HTTP error while using the Cloudflare API, make sure that you are using the correct syntax, parameters, and body for your API call.
This error indicates that the request was not sent with the proper authentication credentials. The server requires authentication to process the request.
For more details, refer to RFC 7235 ↗.
A 401 Unauthorized error occurs when the client fails to provide valid authentication credentials. The server responds with at least one challenge in the form of a WWW-Authenticate header field, as outlined in section 4.1 ↗.
If the client resends the request with the same credentials and the challenge remains unchanged, the server may return an entity to assist the client in identifying the correct credentials needed.
When encountering a 401 error while using the Cloudflare API, ensure that you are providing the correct authentication credentials (for example, API tokens or keys). Double-check that the credentials are active and properly formatted. If the error persists, refer to the WWW-Authenticate header in the response for guidance on resolving the issue.
The 402 Payment Required status code is reserved for future use and is not yet implemented according to the standards outlined in RFC7231 ↗.
The 403 Forbidden status code indicates that the clien's request was understood by the server but cannot be fulfilled due to insufficient permissions to access the requested resource.
For more details, refer to RFC7231 ↗.
If you encounter a 403 error without the Cloudflare branding, this means that the error is being returned directly by the origin web server, not Cloudflare. This is typically related to permission rules set on your server. Common reasons for this error are:
- Permission rules configured on the origin web server (for example, in an Apache
.htaccessfile). - Mod_security rules.
- IP deny rules, such as blocking traffic from certain IP ranges. Make sure that Cloudflare's IP ranges ↗ are not being blocked.
Cloudflare may serve 403 responses in the following scenarios:
-
WAF rules: The request violated a default WAF managed rule (enabled for all orange-clouded Cloudflare domains) or a custom WAF managed rule specific to your zone. For more information, refer to WAF Managed Rules.
-
Security features: A
403response with Cloudflare branding in the response body may be triggered by:- WAF Custom or Managed Rules with the challenge or block action
- Security Level settings, which default to Medium.
- DDoS Protection, which is enabled by default on zones onboarded to Cloudflare, IP applications onboarded to Spectrum, and IP Prefixes onboarded to Magic Transit.
- Most 1xxx Cloudflare error codes.
- The Browser Integrity Check.
- Validation Checks.
Cloudflare may also serve an unstyled 403 error page in specific cases. These errors are not logged because they occur early in Cloudflare's infrastructure, before domain configuration is loaded. An example is:
- SNI ↗: A
403error is returned when the client sends a host that does not match the SNI (Server Name Indication).
The 404 Not Found status code indicates that the origin server was unable to locate the requested resource. Typically, this means the host server could not find the resource. For a more permanent version of this error, the 410 Gone status code should be used.
For more details, refer to RFC7231 ↗.
These errors typically occur when someone mistypes a URL on your site, when there is a broken link from another page, when a page that previously existed is moved or removed, or there is an error when a search engine indexes your site.
These errors typically account for approximately 3% of total page views for a typical site. However, they often go untracked by traditional analytics platforms, such as Google Analytics. To improve user experience, website owners usually implement a custom 404 page to be displayed when this error is generated.
Cloudflare does not generate 404s for customer websites, we only proxy the request from the origin server. If you encounter a 404 error on a Cloudflare-powered site, the issue lies with the origin server. In such cases, contact your hosting provider for assistance.
The 405 Method Not Allowed status code indicates that the origin server recognizes the requested resource but does not support the HTTP method used in the request.
For more details, refer to RFC7231 ↗.
This error typically occurs when the client uses an unsupported HTTP method to interact with a specific resource. The origin server must include an Allow header in the response, which lists the HTTP methods supported for that resource.
For example, attempting a POST request on a resource that is unchangeable and only supports GET requests will result in a 405 error.
Cloudflare does not directly generate 405 errors. These errors are returned by the origin server when it does not allow the HTTP method used in the request. If you encounter a 405 error, review the configuration of your origin server to ensure the correct methods are enabled for the resource in question.
The 406 Not Acceptable status code indicates that the requested resource is not available in a format that adheres to the content negotiation headers specified by the client (for example, Accept-Charset or Accept-Language).
For more details, refer to RFC7231 ↗1.
For example, if a client requests content in a specific language or character set that the server does not support, this error will be generated. To avoid returning a 406 error, the server can instead serve the less preferred method to the client's User-Agent, rather than rejecting the request.
Cloudflare does not generate 406 errors directly but can proxy these responses from the origin server. If content negotiation issues occur, they are typically related to configurations at the origin server, such as language or character set settings.
The 407 Proxy Authentication Required status code indicates that the client did not provide the necessary authentication credentials to access the requested resource through a proxy server.
For more details, refer to RFC 7235 ↗.
This error typically occurs in environments where a proxy server is used as an intermediary between the client and the target server. To resolve this, the client must include the appropriate Proxy-Authorization header in the request with valid credentials.
Cloudflare does not generate 407 errors but proxies them from the origin server or an upstream proxy. If a 407 error occurs on a Cloudflare-powered site, review the origin server's proxy configuration to ensure authentication requirements are properly set, and verify that the client is providing the required credentials.
The 408 Request Timeout status code indicates that the origin server did not receive the complete request within a reasonable time frame and does not wish to continue waiting for the connection. This response is not commonly used, as servers often prefer to use the "close" connection option to terminate idle connections
For more details, refer to RFC7231 ↗.
This error typically occurs when a client fails to send a complete request within the server's timeout period. Common scenarios include slow network connections, server overload or client-side delays to complete the request.
Cloudflare does not generate 408 errors but may proxy them from the origin server. If a 408 error occurs on a Cloudflare-powered site, it is essential to review the origin server's timeout settings and ensure that the server is not overloaded. Additionally, verify that the client's Internet connection is stable and that the request is being sent promptly.
The 409 Conflict status code indicates that the request could not be completed due to a conflict with the current state of the target resource.
For more details, refer to RFC7231 ↗.
This error typically happens with a PUT request when multiple clients are attempting to edit the same resource. To solve this issue:
- The server should generate a payload that includes enough information for the client to recognize the source of the conflict.
- Clients should retry the request again after resolving the conflict.
Cloudflare will return a 409 response for a Error 1001: DNS Resolution Error.
When a resource is intentionally and permanently removed, servers use the 410 Gone status code to inform clients that the resource is no longer available.
In this case:
- The server suggests that links referencing the resource should be removed.
- The server is not obligated to use this status code instead of a
404response, nor is it required to maintain this response for any specific period of time.
For more details, refer to RFC7231 ↗.
This status is commonly applied to deprecated content, such as outdated pages or discontinued products.
Cloudflare does not generate 410 for customer websites, we only proxy the request from the origin server. If you encounter a 410 error on a Cloudflare-powered site, the issue lies with the origin server. In such cases, contact your hosting provider for assistance.
The 411 Length Required status code indicates that the client did not specify the Content-Length of the request body in the headers, and this information is required to obtain the resource. The client may resend the request after adding the required header field.
For more details, refer to RFC7231 ↗.
This status code can occur in various scenarios, such as when a client sends an API request without the required Content-Length header, when uploading a file where the server needs the header to allocate resources, or when proxies or legacy systems enforce strict HTTP compliance. In each case, the server or intermediary requires the Content-Length header to process the request properly.
Cloudflare does not generate 411 for customer websites, we only proxy the request from the origin server. If you encounter a 411 error on a Cloudflare-powered site, the issue lies with the origin server. In such cases, contact your hosting provider for assistance.
The 412 Precondition Failed status code indicates that the server denies the request because the resource does not meet the conditions specified by the client.
For more details, refer to RFC 7232 ↗.
One common use case for the 412 Precondition Failed status code is version control. For example, a client modifying an existing resource may set the If-Unmodified-Since header to ensure the resource has not been changed since the client downloaded it for editing. If another client edits the resource after the specified date but before the original client uploads their changes, the server will return a 412 response to prevent overwriting the newer updates.
Cloudflare may serve this response: for more information please refer to ETag Headers.
The 413 Payload Too Large status code indicates that the server refuses to process the request because the payload sent by the client exceeds the server's acceptable size limit. The server may optionally close the connection. If this refusal would only happen temporarily, then the server should send a Retry-After header to specify when the client should try the request again.
For more details, refer to RFC7231 ↗.
The 413 Payload Too Large status code often occurs when clients attempt to upload large files, such as videos or images, or send oversized request bodies, like JSON or XML payloads, that exceed the server's size limits. This can also happen during file transfers or API requests involving large datasets, prompting the server to reject the request.
The upload limit for the Cloudflare API depends on your plan. If you exceed this limit, your API call will receive a 413 Request Entity Too Large error.
| Free | Pro | Business | Enterprise | |
|---|---|---|---|---|
Availability | Yes | Yes | Yes | Yes |
Max upload size | 100 MB | 100 MB | 200 MB | 500+ MB |
If you require a larger upload, break up requests into smaller chunks, change your DNS record to DNS-only, or upgrade your plan.
The 414 URI Too Long status code indicates that the server refuses to process the request because the URI provided by the client is excessively long.
For more details, refer to RFC7231 ↗.
For example, if a client is attempting a GET request with an unusually long URI, such as one containing an excessive number of query parameters, after a POST, this could be seen as a security risk and a 414 is generated.
Cloudflare will generate a 414 response if the URI length exceeds 32KB.
The 415 Unsupported Media Type status code indicates that the server refuses to process the request because the format of the payload is not supported. One way to identify and fix this issue would be to look at the Content-Type or Content-Encoding headers sent in the client's request.
For more details, refer to RFC7231 ↗.
This may be triggered by submitting a file type or format that the server is not configured to handle, such as uploading an unsupported image or document format, may also trigger this error.
Cloudflare typically passes this response from the origin server if it encounters an unsupported media type in the client's request payload.
The 416 Range Not Satisfiable status code indicates that the server cannot fulfill the requested range specified in the Range header of the client's request.
For more details, refer to RFC7233 ↗.
This error can happen when a client requests a byte range outside the bounds of the resource, such as a range exceeding the file's total size. It can also happen if the server does not support partial content delivery or if there is a conflict between the requested range and the server's understanding of the resource, often caused by an outdated or invalid cache.
Cloudflare typically serves this response when the origin server rejects a Range header request for a resource. This often occurs if the requested range exceeds the size of the file, as indicated in the Content-Range header.
The 417 Expectation Failed status code indicates that the server could not meet the requirements specified in the Expect header of the client's request.
For more details, refer to RRFC7231 ↗.
Some clients use the Expect header, such as Expect: 100-continue, to verify if the server is ready to receive a large payload, and if the server cannot fulfill this expectation, it returns a 417 response. Similarly, a server may reject a request with this error if the client includes an Expect header with unsupported or invalid values.
Cloudflare typically forwards this response from the origin server if it encounters an issue related to unsupported or unfulfilled Expect headers in the client's request.
The 429 Too Many Requests status code indicates that the client has sent too many requests in a specified amount of time, as determined by the server's rate-limiting rules. The server may include a Retry-After header in the response to specify when the client can try again.
For more details, refer to RFC6585 ↗.
Servers use this status code to prevent excessive API requests from overloading the system. For example, a client making repeated API calls within a short time frame may trigger a 429 response. Websites or services may impose rate limits to manage traffic spikes or prevent abuse, temporarily blocking excessive requests from users.
- Cloudflare API limits
The global rate limit for the Cloudflare API is 1200 requests per five minute period per user, and applies cumulatively regardless of whether the request is made via the dashboard, API key, or API token.
If you exceed this limit, all API calls for the next five minutes will be blocked, receiving a HTTP 429 - Too Many Requests response.
Some specific API calls have their own limits and are documented separately, such as the following:
Enterprise customers can also contact Cloudflare Support to raise the limit to a higher value.
- Website end users
Cloudflare will generate a 429 response when a request is being rate limited ↗. If visitors to your site encounter this error, it will be visible in the Rate Limiting Analytics dashboard.
The 451 status code indicates that the server cannot deliver the requested resource due to legal actions or restrictions.
For more details, refer to RFC7725 ↗.
This occurs when access to a resource is blocked due to court orders, copyright claims, or other legal demands. Typically search engines (for example, Google) and ISP (for example, ATT) are the ones affected by this response code, rather than the origin server itself. The server should include an explanation in the response body, detailing the legal demand or reason for the restriction.
Cloudflare may pass through a 451 response from the origin server if the requested resource is legally restricted.
The HTTP 499 error typically occurs when a client terminates the connection before the server is able to respond.
Examples of 499 errors include situations where a client times out and closes the connection before the server completes processing, such as during large file uploads or long-running requests. They can also occur due to issues in the TCP three-way handshake, where the client terminates the connection prematurely because of its timeout settings.
The 499 Client Closed Request status code is specific to nginx and indicates that the client closed the connection while the server was still processing the request, preventing the server from sending a status code in response. This status code appears in Cloudflare Logs and status code analytics for Enterprise customers.
To provide more context, a TCP connection must be established between Cloudflare and the website's origin server before any higher protocol (such as HTTP) begins communication. TCP uses a three-way handshake to establish connection:
- SYN: Cloudflare sends a SYN packet to the origin server.
- SYN+ACK: The origin server responds with a SYN+ACK packet.
- ACK: Cloudflare sends an ACK packet back to the origin server.
At this point, the connection is established, and both Cloudflare and the origin server can communicate. However, if the origin server does not send a SYN+ACK back to Cloudflare within 15 seconds, Cloudflare retries once more, with another 15-second timeout.
Depending on the client-side timeout settings, the following scenarios can occur:
- Shorter client timeout (less than 30 seconds): If the client has a shorter timeout, it will abandon the connection before Cloudflare completes processing, and a
499error will be logged. - Successful connection (more than 30 seconds): If the client has a longer timeout and the TCP connection is successfully established, the HTTP transaction proceeds normally, and Cloudflare returns a standard status code (
HTTP 200). - Handshake failure: If the client has a longer timeout but Cloudflare cannot establish the TCP handshake with the origin server, Cloudflare will return an
HTTP 522status code.