Cloudflare Error 520: Causes and How to Fix It

What you need to know about Cloudflare Error 520:

• Error 520 means Cloudflare reached your origin server but got back an empty or unrecognizable response
• It's Cloudflare-specific, not a standard HTTP status code
• Most common causes: server crashes, Cloudflare IPs being blocked by your firewall, TCP timeout mismatches, and oversized response headers
• Fix it by checking DNS records, inspecting headers with a HAR file, reviewing PHP error logs, or temporarily pausing Cloudflare
• Prevent recurrence by whitelisting Cloudflare IP ranges, raising TCP timeout above 300 seconds, and monitoring server resources
• The Ray ID on the error page is your best tool when contacting Cloudflare support
• It's not permanent - once the root cause is fixed, the error goes away

Your site is down. Visitors are staring at a blank white page with "Error 520" on it, and Cloudflare isn't telling you much beyond "the origin web server returned an unknown error." That's frustrating - and pretty vague.

The good news: Cloudflare error 520 is almost always fixable without calling your host. Here's what's actually happening and how to get back online.

What Is Cloudflare Error 520?

Error 520 means Cloudflare successfully reached your origin server but got back a response it couldn't understand. The 520 error isn't a standard HTTP status code - it's Cloudflare-specific, signalling something went wrong on your server's end after the connection was already established.

What is error 520 in plain terms? Cloudflare knocked on the door, your server opened it, then sent back something incomprehensible - or nothing at all. The Cloudflare error 520 page your visitors see includes a Cloudflare Ray ID at the bottom, which is a unique identifier for that request. Hold onto it; you'll need it if the fixes below don't work.

How Error 520 Differs from Other 5xx Errors

The Cloudflare errors list draws a clear line between standard HTTP errors and Cloudflare's own codes. Standard Cloudflare 5xx errors like 500 and 503 come from your server and have defined meanings. Cloudflare error codes above 511 are different. They describe the communication between Cloudflare and your origin, not just your server's internal state.

A 520 specifically means the server responded with something unexpected, such as an empty body or a reset connection, whereas other Cloudflare error codes point to timeouts or connection failures at different stages.

Common Causes of Cloudflare Error 520

Most 520 error Cloudflare cases trace back to one of four things. Cloudflare error 520 is almost never random - there's a reproducible root cause every time.

Origin Server Crashes and Resource Overload

When the origin server Cloudflare connects to runs out of memory or CPU, it can return a garbled or empty response before the process dies entirely. High server resource usage, like a traffic spike or a runaway PHP process, is probably the single most common cause.

Check the Cloudflare status first to rule out a Cloudflare-side incident. Then look at your server's resource consumption in real time. If CPU is pinned at 100% or memory is nearly exhausted, that's your answer.

Cloudflare IP Addresses Being Blocked

This one trips up a lot of admins. Your firewall might be blocking Cloudflare IP addresses without you realizing it - a security plugin, or a fail2ban rule that got applied during a previous incident. When Cloudflare's own requests get blocked, your server refuses to respond properly, and the Cloudflare firewall setting effectively breaks the proxy.

You need to whitelist Cloudflare IP ranges explicitly. Cloudflare publishes the current list at cloudflare.com/ips.

Short TCP Idle Timeout Values

A Cloudflare TCP timeout mismatch is the sneakiest cause on this list. If your server closes idle TCP connections faster than Cloudflare expects, Cloudflare can send a request on a connection that's already been dropped. The Cloudflare timeout threshold is 300 seconds - if your server's keepalive timeout sits below that, you'll get intermittent Cloudflare error 520 events that seem to appear and disappear randomly.

Because it doesn't affect every request, this cause is genuinely hard to diagnose without looking specifically for it.

Oversized Response Headers and Cookies

Cloudflare enforces limits on http response headers - roughly 8KB per individual header and 32KB total. If your application sends back large cookies or a pile of custom headers, you can breach the Cloudflare header size limit without realizing it.

To check this, open Chrome DevTools, reproduce the error, and export a har file chrome generates from the Network tab. Look at the response headers on the failing request and add up the total size.

How to Fix Cloudflare Error 520

This Cloudflare 520 error fix list covers everything from quick DNS checks to direct debugging - work through them until something clicks. Fix error 520 for good by addressing the root cause, not just the symptom. Cloudflare error 520 will keep coming back if you don't.

Fix Cloudflare DNS Records

Stale or incorrect DNS records Cloudflare is pointing to will cause connection failures at the root. Check your Cloudflare DNS records and confirm the origin IP addresses are current. If you migrated servers recently, a stale record is a very plausible Cloudflare error 520 cause. Update it, wait for propagation, and test again.

Inspect HTTP Headers and Cookies

Open Chrome DevTools and reproduce the error. Export the har file chrome saves under the Network tab. Look at the response headers on the failing request - specifically total header size and any unusually large set-cookie values.

If Cloudflare header size looks excessive, trim your cookies and consolidate custom headers in your application. Anything pushing past 8KB on a single http response header is going to cause problems.

Disable .htaccess for Testing

Rename your .htaccess file temporarily and test. Certain Cloudflare htaccess configurations, such as redirect loops or malformed rewrite rules, produce responses Cloudflare can't parse. If disabling it clears the error, add rules back one section at a time to isolate the offending line. This is a reliable way to fix error 520 caused by Apache config issues.

Review PHP and Server Error Logs

Your php error log will show if a script is crashing mid-response. A fatal error during execution causes PHP to send back a malformed or empty response - both trigger a 520. Check Cloudflare error logs in your dashboard under Analytics > Logs (paid plans), and tail your server logs while reproducing the issue:

tail -f /var/log/nginx/error.log
# or for Apache:
tail -f /var/log/apache2/error.log

Watching logs in real time while you trigger the error is the fastest way to fix error 520 from this angle.

Debug with cURL Commands

Running a curl command http request directly against your origin server - bypassing Cloudflare entirely - shows you exactly what your server is sending back. If the response looks normal, the problem is specific to the Cloudflare-to-server path. If it looks broken, the server itself is the issue.

curl -I https://your-origin-ip --header "Host: yourdomain.com"

Check the http response headers in the output carefully. Invalid or malformed headers explain a lot of otherwise confusing 520s.

Pause or Disable Cloudflare

If you need the site back up immediately while you investigate, pause the Cloudflare proxy. Go to your dashboard, open the Overview tab, scroll to the bottom, and click "Pause Cloudflare on Site." Traffic routes directly to your origin without the proxy layer.

You can also enable Cloudflare development mode, which disables Cloudflare cache bypass behavior and forces fresh requests to origin. This is useful for isolating whether caching is a factor. Keep in mind that Cloudflare pause removes SSL termination and performance features. It's a diagnostic measure, not a long-term fix.

Contact Cloudflare Support

If you've worked through everything above and still can't find the cause, pull the Cloudflare Ray ID from the error page your visitors are seeing. Share it when you open a support ticket - Cloudflare can look up the exact request log and see precisely what your origin returned. Before you do, check the Cloudflare status at cloudflarestatus.com to confirm there's no active incident on their end.

How to Prevent Error 520 From Recurring

A website down Cloudflare incident is painful once. Having it happen repeatedly is worse, but totally avoidable. Three prevention steps will fix error 520 at the root and keep it from coming back.

Monitor Server Resource Consumption

Set up alerting on CPU and memory so you know before your server hits a wall, not after. Tools like Netdata or basic cron-based scripts can ping you when server resource usage crosses a threshold. Catching a runaway process early prevents the kind of crash that produces a 520. Also, as always, monitor the Cloudflare status - occasionally a spike in 520s turns out to be a partial Cloudflare incident, and knowing that early saves an hour of debugging your own stack.

Whitelist Cloudflare IP Ranges in Firewall

Permanently add all Cloudflare IP addresses to your firewall's allowlist. This removes an entire category of future 520s. On UFW:

for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
  ufw allow from $ip to any port 443
done

Cloudflare updates their IP list occasionally, so automate this if you can. Keeping Cloudflare firewall rules in sync with the published list means a security plugin or fail2ban rule can never accidentally block Cloudflare's requests again. The whitelist Cloudflare IP step is easy to skip, and consistently the thing people wish they'd done sooner when a 520 comes back.

Increase TCP Timeout to Over 300 Seconds

Set your server's keepalive timeout above Cloudflare's 300-second cloudflare timeout threshold to eliminate the intermittent 520s that are hardest to diagnose. For Nginx:

keepalive_timeout 305;

For Apache:

KeepAliveTimeout 305

This Cloudflare TCP timeout fix is a one-liner that prevents a whole class of connection-drop errors.

Error 520 vs Other Cloudflare Errors

520 gets confused with other Cloudflare error codes fairly often. It's worth knowing the distinctions - especially if you're also seeing Cloudflare error 504, which points to a slow upstream and is a completely different problem from any of the below.

Error 520 vs Error 522 Connection Timeout

Cloudflare error 522 means Cloudflare couldn't establish a TCP connection to your origin at all - the Cloudflare timeout fired before a connection was made. The 520 is different: the connection succeeded, but the response came back empty or malformed. Cloudflare 522 typically means your server isn't listening on the right port or is fully unreachable. The error 522 Cloudflare page looks similar but describes a fundamentally different failure.

Error 520 vs Error 524 Gateway Timeout

Cloudflare 524 means Cloudflare connected to your server and waited over 100 seconds with no response. Cloudflare error 524 is a slowness problem; 520 is a bad-response problem. If your server is just slow - a heavy database query or a long-running script - the Cloudflare timeout that fires will produce a 524, not a 520.

Error 520 vs Error 502 Bad Gateway

Cloudflare error 502 is a standard HTTP status code meaning the upstream returned an invalid response to an HTTP request. Cloudflare 502 usually points to a misconfigured proxy or gateway layer - an Nginx upstream or a load balancer. A 520 is broader: any unknown or empty response, regardless of whether a proper HTTP exchange even started.

Error 520 FAQ