Error Code 520: Meaning, Causes & How to Fix It (2026)
Cloudflare Error 520 — "Web Server Is Returning an Unknown Error"
⚡ Key Takeaways
- Error 520 is a Cloudflare-specific status code — not part of the official HTTP specification. It only appears on sites using Cloudflare as a proxy.
- It means Cloudflare successfully connected to your origin server but received an empty, malformed, or completely unexpected response it could not process.
- The four most common causes are: origin server crash or resource exhaustion, Cloudflare IPs blocked by a firewall, response headers exceeding 128 KB, and TCP keepalive timeout shorter than Cloudflare's 300-second threshold.
- The CF-RAY ID in the error page is essential — it maps to a specific request in both Cloudflare and your origin server logs and is the fastest path to root cause identification.
- For web scrapers and data pipelines, 520 is best handled with exponential backoff retry logic and residential proxy rotation to reduce origin-side load pressure.
Error 520 is one of the most frustrating server errors to troubleshoot because Cloudflare's own message — "Web Server Is Returning an Unknown Error" — tells you almost nothing about what went wrong. That vagueness is intentional: 520 is a catch-all for every situation where Cloudflare got a response from your origin server that it could not interpret as a valid HTTP reply. The origin was reachable. The connection opened. But what came back was empty, garbled, or cut off mid-stream.
This guide covers the exact architecture behind the 520, the six documented root causes, how to use the CF-RAY ID to pinpoint the problem, and a complete fix checklist organised by audience — end users, server administrators, and developers running scraping pipelines.
What Error 520 Means: The Architecture Behind It
To understand 520, you need to understand where Cloudflare sits in the request path. Cloudflare operates as a reverse proxy between the internet and your origin web server. Every visitor request passes through Cloudflare's edge network before reaching your server.
The critical distinction: a 520 means Cloudflare did reach your origin server and the TCP connection was established. The failure happens at the HTTP response layer — the origin either sent nothing back, sent something with no valid HTTP status code, sent malformed headers, or closed the connection before completing the response.
As Cloudflare's official documentation states: "This error occurs when the origin server returns an empty, unknown, or unexpected response to Cloudflare." The error page shown to visitors includes a CF-RAY ID — a unique request identifier that links to the specific event in Cloudflare's logs and your origin server's access log.
520 vs. Other Cloudflare 5xx Errors
Error 520 is part of a family of Cloudflare-specific codes (52x range) that go beyond standard HTTP. Knowing the differences prevents misdiagnosis:
| Code | Name | What It Means | Key Difference from 520 |
|---|---|---|---|
| 500 | Internal Server Error | Generic server-side failure — origin sent a valid HTTP 500 | 500 comes from the origin; 520 means Cloudflare couldn't interpret the origin's response at all |
| 502 | Bad Gateway | Cloudflare received an invalid response from the origin | 502 is a standard HTTP code meaning the gateway got a bad upstream reply; 520 is Cloudflare's extended version of the same concept |
| 521 | Web Server Is Down | The origin server refused the TCP connection entirely | 521 = connection refused before it opened; 520 = connection opened but response was invalid |
| 522 | Connection Timed Out | Cloudflare's connection to the origin timed out | 522 = timeout waiting for a response; 520 = response received but unreadable |
| 524 | A Timeout Occurred | TCP connection established but origin didn't respond within 100 seconds | 524 = response never arrived; 520 = response arrived but was invalid |
| 526 | Invalid SSL Certificate | Cloudflare couldn't validate the SSL certificate on the origin | 526 is an SSL/TLS issue; 520 is an HTTP response content issue |
Error code definitions: Cloudflare official documentation; Contabo Cloudflare 520 guide (March 2026).
8 Root Causes of Error 520
💥 Origin Server Crash or Resource Exhaustion
The single most common cause. A PHP process, runaway cron job, or traffic spike pushes CPU or memory to its limit. The server initiates the TCP connection but crashes before generating a valid HTTP response. Cloudflare receives an empty or truncated reply and returns 520.
🔥 Cloudflare IPs Blocked by Firewall
A security plugin (Wordfence, Fail2Ban, ModSecurity), .htaccess rule, or server-level firewall is blocking Cloudflare's IP ranges. The connection is technically accepted at the TCP level but refused at the application layer — producing an empty response. Cloudflare updates its IP list occasionally; rules must be kept in sync. Official Cloudflare IP ranges must be whitelisted.
📦 Response Headers Exceeding 128 KB
Cloudflare has a hard limit: individual response headers cannot exceed 16 KB; total headers cannot exceed 32 KB. Some sources note a 128 KB limit for the combined response. Excessive cookies (accumulated across subdomains or third-party scripts) are the most common cause of oversized headers. Cloudflare rejects the response and returns 520.
⏱️ TCP Keepalive Timeout Below 300 Seconds
Cloudflare waits up to 300 seconds for a response from the origin. If your web server's keepalive or idle timeout is set below 300 seconds (a common NGINX default is 65 seconds), the server closes the connection while Cloudflare is still waiting — triggering 520. As Contabo's guide notes: this is "the intermittent 520 that is hardest to diagnose."
🔧 Malformed or Empty HTTP Response
Application code (PHP, Node.js, Python) that generates an invalid response — missing status code, malformed headers, or empty body with no content-length — produces a response Cloudflare cannot interpret. Bugs in custom error handlers, middleware, or output buffering misconfigurations are typical culprits.
🔐 HTTP/2 Misconfiguration at Origin
Cloudflare negotiates HTTP/2 with origins where configured. If the origin server accepts the HTTP/2 connection but implements the protocol incorrectly — incompatible frame handling or missing SETTINGS frames — Cloudflare receives a response it cannot process and returns 520.
🔑 Authenticated Origin Pull Misconfiguration
If Cloudflare's Authenticated Origin Pull feature is enabled but the origin server is not configured to accept and validate the client certificate Cloudflare sends, the origin rejects the connection silently or sends an empty response — producing 520.
🔌 Invalid Response from Plugin or Middleware
WordPress plugins, custom middleware, or server-side scripts that intercept requests and generate non-standard HTTP responses — particularly those sending binary data without proper MIME types or generating PHP fatal errors mid-response — produce output Cloudflare cannot parse.
3 Real-World Scenarios
Traffic Spike Causing PHP-FPM Exhaustion
An e-commerce site experiences a flash sale. PHP-FPM worker processes max out. New requests from Cloudflare establish TCP connections but get no response before the connection times out — Cloudflare returns 520 to all users. Diagnosis: PHP-FPM status page shows all workers occupied. Fix: increase pm.max_children in PHP-FPM config; add horizontal scaling or queue traffic.
Security Plugin Blocking Cloudflare After IP Update
Cloudflare publishes an updated IP range. A server running Wordfence or Fail2Ban with "block unknown IPs" rules does not have the new range whitelisted. Cloudflare's requests from the new IPs are silently dropped at the application firewall layer — origin returns empty. Fix: automate Cloudflare IP list syncing via their API; manually update the whitelist after each Cloudflare IP announcement.
Cookie Accumulation Exceeding Header Limit
A site using multiple analytics scripts, A/B testing tools, and ad networks accumulates dozens of cookies per session. On users who have visited many pages, the cumulative Cookie header in responses exceeds Cloudflare's 16 KB per-header limit. Cloudflare rejects the oversized response and returns 520. Fix: audit cookie usage with HAR file analysis, consolidate third-party scripts, and implement cookie expiry policies.
How to Fix Error 520: Complete Checklist
Work through the section that matches your role and access level.
First: Use the CF-RAY ID to Narrow the Cause
Every 520 error page includes a CF-RAY ID at the bottom (format: 7d1234567890abcd-LAX). This ID maps to a specific request in Cloudflare's logs and your origin server's access log. Before any other troubleshooting, note this ID — it dramatically narrows the time window and request to inspect. In Cloudflare Dashboard: Analytics → Origin Analytics → filter by edgeResponseStatus = 520 and match to originResponseStatus. If the origin returned 200 but Cloudflare served 520, the response content was malformed.
For End Users
1. Wait and Reload
If the 520 is caused by a temporary origin server crash or resource spike, the error is often self-resolving within minutes once the server recovers. Wait 2–3 minutes and perform a hard refresh (Ctrl+Shift+R / Cmd+Shift+R). If the error persists beyond 10 minutes, it is unlikely to resolve without administrator intervention.
2. Check Cloudflare System Status
Verify whether a Cloudflare-side incident is causing widespread 520 errors. Visit cloudflarestatus.com to check current network status. If Cloudflare has an active incident, the error is not originating from your server.
3. Report the CF-RAY ID to the Site Administrator
Note the CF-RAY ID from the 520 error page and provide it to the site owner or support team. This reference is more useful than a screenshot — it lets the administrator pull the exact request from logs without guessing time windows.
For Server Administrators
4. Check Origin Server Resource Usage
SSH into your server and run top or htop to check CPU and memory at the time of the errors. For PHP-FPM: check /var/log/php-fpm/error.log. For NGINX: check /var/log/nginx/error.log. For Apache: /var/log/apache2/error.log. Correlate error timestamps with the CF-RAY ID you noted.
5. Whitelist Cloudflare IP Ranges
Download the current Cloudflare IP list from cloudflare.com/ips/ and add all ranges to your server firewall, .htaccess, iptables, or security plugin whitelist. For NGINX, add allow 103.21.244.0/22; (and all other ranges) before your deny rules. Automate this sync — Cloudflare updates its IPs periodically and a missed update can re-trigger 520 errors.
6. Increase TCP Keepalive Timeout Above 300 Seconds
Set your server's keepalive timeout above Cloudflare's 300-second threshold. For NGINX, add to your server block:
keepalive_timeout 320s; keepalive_requests 10000;
For Apache, set KeepAliveTimeout 320 in httpd.conf. This eliminates the entire class of intermittent 520 errors caused by the server closing idle connections while Cloudflare waits.
7. Audit Response Headers with a HAR File
Generate a HAR (HTTP Archive) file using browser DevTools (F12 → Network → right-click → Save all as HAR). Open in Google's HAR Analyzer and check the response header sizes. If any header exceeds 16 KB — typically the Set-Cookie header on high-cookie sites — that is your 520 trigger. Reduce cookie size by auditing third-party scripts and setting appropriate cookie expiry and scope.
8. Temporarily Pause Cloudflare to Isolate the Cause
In the Cloudflare Dashboard, go to your site → Overview → scroll down → "Pause Cloudflare on Site." This changes your DNS to point directly to the origin, bypassing Cloudflare. If the site loads normally, the 520 is caused by a Cloudflare-origin interaction (firewall block, header size, keepalive timeout). If the site still fails, the issue is on the origin server itself regardless of Cloudflare.
9. Verify DNS Records in Cloudflare
Incorrect A or CNAME records pointing to a wrong or outdated IP address cause Cloudflare to reach the wrong server — which may return an empty response. In the Cloudflare DNS tab, verify that your A records point to your current origin server IP. After any server migration, DNS records must be updated before re-enabling Cloudflare's proxy.
For Developers & Web Scrapers
10. Implement Exponential Backoff for 520 Responses
When scraping Cloudflare-protected sites, a 520 is almost always transient — a momentary server resource spike or connection drop. Implement exponential backoff: retry after 1s, 2s, 4s, 8s, up to a maximum of 3–5 attempts before marking the URL as failed. This avoids hammering an already-stressed origin and naturally resolves most 520 errors without intervention.
import time
import requests
def fetch_with_retry(url, proxies, max_retries=4):
for attempt in range(max_retries):
try:
resp = requests.get(url, proxies=proxies, timeout=20)
if resp.status_code == 520:
wait = 2 ** attempt
print(f"520 error — retrying in {wait}s")
time.sleep(wait)
continue
return resp
except requests.RequestException as e:
time.sleep(2 ** attempt)
return None
11. Rotate Residential IPs to Reduce Per-IP Origin Load
Sending many requests through the same IP to a Cloudflare-protected site concentrates load on the origin — increasing the likelihood of triggering resource exhaustion and 520 errors. Rotating residential IPs distributes requests across many exit points, reducing per-IP request frequency and making each session appear as separate organic traffic. Nstproxy's IP rotation guide covers integration patterns for this approach.
12. Use Cloudflare Origin Analytics to Identify Problematic Endpoints
If you manage the target site, use Cloudflare Analytics → Origin Analytics to compare originResponseStatus with edgeResponseStatus. The "Top endpoints" table identifies which specific paths are producing 520 errors — allowing targeted investigation rather than broad server-wide troubleshooting.
Error 520 and Web Scraping: What It Means for Your Pipeline
For data collection teams, a 520 from a Cloudflare-protected target is important to distinguish from other block responses:
- A 403 Forbidden means Cloudflare's WAF has actively blocked the request — the origin was never reached. Changing IPs or headers addresses this.
- A 520 means the origin was reached but returned a bad response. This could be an anti-scraping measure (the server detects bot traffic and intentionally returns an empty response), but is more commonly a genuine server-side instability triggered by the volume or pattern of requests.
The practical response differs accordingly. For genuine 520 errors from resource exhaustion, exponential backoff retry logic (Fix 10 above) resolves most cases. For scraping patterns that trigger intentional 520 responses, residential IP rotation through a clean IP pool reduces the scraping footprint that triggered the server-side detection in the first place.
Nstproxy's residential proxy network provides the clean, ethically sourced IPs that minimise the detection signals which trigger both 403 blocks and intentional 520 responses on protected targets. Coverage details in the residential proxy overview; high-anonymity configuration details in the high-anonymity proxy guide.
Reduce 520 Errors in Your Scraping Pipeline
Clean residential IPs with automatic rotation distribute request load across 110M+ addresses — reducing origin-side resource exhaustion and detection signals that cause 520 responses.
Conclusion
Error 520 is Cloudflare's catch-all for an origin server that responded with something it could not process — an empty response, malformed headers, an abruptly closed connection, or a crash mid-response. It is not a standard HTTP code, and it only appears on Cloudflare-proxied sites. The CF-RAY ID on the error page is your fastest diagnostic tool: it lets you correlate the exact request across Cloudflare's analytics and your origin server logs without guessing.
The four fixes that resolve most 520 cases are: whitelist Cloudflare's IP ranges in your firewall, set TCP keepalive timeout above 300 seconds, audit and reduce cookie/header sizes, and check origin resource usage during the error window. For developers running scraping pipelines, exponential backoff retry logic and residential IP rotation reduce both the incidence and impact of 520 errors from Cloudflare-protected targets.
Frequently Asked Questions
Error 520 is a Cloudflare-specific status code meaning the origin web server returned an empty, unknown, or malformed response that Cloudflare could not process. Cloudflare successfully reached the origin server and the TCP connection opened, but the HTTP response was invalid — missing a status code, containing oversized headers, or cut off before completion. It is not a standard HTTP code and only appears on sites using Cloudflare.
Both are Cloudflare-specific. Error 520 means Cloudflare connected to the origin server and the TCP connection opened, but the HTTP response was invalid or empty. Error 521 means Cloudflare could not establish a TCP connection at all — the origin server actively refused or rejected the connection before it opened. 521 is typically caused by a server that is completely down or has blocked Cloudflare's IPs at the network layer.
The most common causes on WordPress sites are: (1) a security plugin blocking Cloudflare's IP ranges — check Wordfence or iThemes Security settings and whitelist Cloudflare IPs; (2) a plugin generating a PHP fatal error that produces an empty response — deactivate plugins one by one to isolate; (3) excessive cookies from analytics or ad scripts bloating response headers — audit cookie usage via a HAR file. Check your PHP error log (/var/log/php-fpm/error.log or the Logs section in your hosting panel) for the exact error at the time of the 520.
Intermittent 520 errors most commonly indicate a TCP keepalive timeout mismatch. If your server's idle connection timeout is below Cloudflare's 300-second threshold, the server closes idle connections while Cloudflare is still waiting — producing a 520 on some requests but not others depending on request timing. Set your server's keepalive timeout above 300 seconds (320 seconds recommended). This is the hardest 520 variant to diagnose because it does not reproduce on demand.
The CF-RAY ID is a unique identifier for each request that passes through Cloudflare's network, shown at the bottom of every 520 error page (format: 7d1234567890abcd-LAX). In your Cloudflare Dashboard under Analytics → Logs, you can filter by this ID to see exactly what Cloudflare received from your origin and when. On your origin server, the same ID appears in the CF-RAY request header — search your NGINX or Apache access logs for it to find the exact request line and response code your server generated. If you need to contact Cloudflare support, always include the CF-RAY ID.
