What does Cloudflare error 522 mean?

Error 522 (Connection timed out) means Cloudflare's edge could establish a TCP connection toward your origin but the origin did not complete the handshake or respond in time. It usually points to an origin firewall blocking Cloudflare IPs, an overloaded server, or a saturated network path.

How is error 521 different from 522?

Error 521 (Web server is down) means the origin actively refused the TCP connection — the port is closed or the web server process is stopped. Error 522 means the connection started but timed out. 521 is usually a stopped service or a firewall rejecting the connection outright.

What causes a 525 SSL handshake failed error?

Error 525 occurs in Full or Full (strict) SSL mode when the TLS handshake between Cloudflare and your origin fails. Common causes are an expired or mismatched origin certificate, no SNI support, or unsupported cipher suites. Install a valid origin certificate and ensure port 443 is open.

What is a Cloudflare 1020 error?

Error 1020 (Access denied) means a Cloudflare Firewall Rule, WAF, or rate-limiting rule blocked the request. It is generated entirely at Cloudflare's edge. Review your firewall and security rules in the dashboard to find the rule that matched the request.

Is anything I search uploaded?

No. The full error index and the search run entirely in your browser. Nothing you type is sent to any server.

Cloudflare Error Codes

This is a searchable reference for Cloudflare error codes — the HTTP 5xx codes Cloudflare itself emits (520–527), the 1000-series application errors, and the challenge/access codes. Each entry tells you whether the failure is happening at Cloudflare’s edge or at your origin server, what it means, and the most likely fix, so you can stop guessing which side to debug.

How it works

When a request fails, Cloudflare distinguishes its own errors from your origin’s by using a dedicated code range. A standard 502 Bad Gateway from your origin is passed through, but a 502 with a Cloudflare error page and a 5xx/10xx code is generated by Cloudflare. The 52x family describes the connection between Cloudflare and your origin:

520  Unknown error from origin (empty/malformed response)
521  Origin refused the TCP connection (web server down)
522  TCP connection to origin timed out
523  Origin is unreachable (bad route / DNS at edge)
524  Origin connected but did not return an HTTP response in time
525  TLS handshake to origin failed (Full/Full strict SSL)
526  Origin presented an invalid SSL certificate (Full strict)

The 10xx series are application-layer errors raised at the edge before the origin is ever contacted — 1020 (firewall rule), 1015 (rate limited), and the 1xxx Workers errors. Because these never reach your origin, fixing them means editing Cloudflare’s rules, not your server.

Tips and example

The fastest triage is the source column. If a code is marked Origin, look at your server, firewall, and certificates; Cloudflare is working. If it is marked Edge, the request never reached you — investigate Cloudflare’s SSL mode, firewall rules, or Worker code.

522 → check origin firewall allows Cloudflare IP ranges, raise timeouts
521 → confirm the web server process is running and the port is open
525 → install a valid origin cert, open 443, enable SNI
1020 → find and adjust the matching Cloudflare firewall/WAF rule

A persistent 524 almost always means a slow backend: Cloudflare’s default origin timeout is 100 seconds, so a long-running request that exceeds it returns 524 even though both servers are healthy. Everything runs in your browser; nothing is uploaded.

Cloudflare Error Codes

Email me this result

How it works

Tips and example