Cloudflare Error 1015: Why It Happens & How to Fix It


Sarah Whitmore
Error Resolution
Cloudflare sits in front of a huge chunk of the web as a content delivery network and security layer, which means its error pages show up on all sorts of sites. Error 1015 is one of the more common ones you'll run into: it's a rate-limiting message telling you that too many requests came from your IP address in a short window.
That's annoying whether you're a shopper trying to check out, a QA engineer running automated tests against a site you own, or a researcher collecting public data at scale. The good news is that 1015 is almost always fixable once you understand what tripped it. Let's walk through the causes and the fixes for each type of user.
What Cloudflare Error 1015 Actually Means
Error 1015 ("You are being rate limited") means the number of requests coming from a single IP address has crossed a limit that the website owner configured in Cloudflare within a set time window. It isn't a permanent ban and it isn't tied to your account — it's tied to your IP and the pace of your requests.
Rate limiting is a defensive feature. It protects sites from being overwhelmed by traffic from a single source, whether that's a misbehaving script, a runaway browser extension, or a genuine denial-of-service attack. Cloudflare monitors both the total volume of requests and the timing between them from each IP. When an address sends too much, too fast, access to the protected resource is temporarily paused.
How Long the 1015 Block Lasts
The duration is set by the website owner, not by Cloudflare's defaults, and it can range from about 10 seconds up to a full 24 hours (86,400 seconds). The exact options available depend on the owner's Cloudflare plan. In practice, most consumer-facing sites use short windows — a minute or two — because they don't want to lock out real customers.
Separately, Cloudflare enforces a global rate limit on its own API: roughly 1,200 requests per user every 5 minutes. Blow past that and further API calls are blocked for the next 5 minutes. If you're building against the Cloudflare API rather than browsing a site, that's the ceiling to watch.
How Cloudflare Rate Limiting Works
Rate limiting is applied at the application layer rather than the web server itself, which is why a service like Cloudflare can manage it on the owner's behalf. The system watches which IPs are making requests, how many they're making, and how tightly spaced those requests are. An IP that fires a burst of identical requests in a fraction of a second looks very different from a person clicking through pages.
A typical Cloudflare rate-limiting rule has three parts:
Request matching criteria — which requests the rule applies to, based on things like the URL path, HTTP method (GET, POST, and so on), the scheme, or the response code from the origin.
Rate matching criteria — the threshold: how many requests are allowed from one source within a given period.
Mitigation action — what happens when the threshold is crossed, such as issuing a challenge or a temporary block, and for how long.
Fixing Error 1015 as a Regular Visitor
If you hit 1015 while just browsing, you almost certainly aren't the problem — something upstream is generating too many requests. Try these in order:
Wait it out. The message tells you a duration for a reason. Blocks are often temporary and clear on their own within a minute or two. If you weren't hammering the site, this usually fixes it.
Check your network. On shared connections — office, campus, public Wi-Fi — you share a public IP with everyone else. Their combined traffic can trip the limit. Switching to mobile data or a different network gives you a fresh IP.
Scan for malware. Occasionally, software on your machine sends background requests you never authorised. A reputable anti-malware scan can rule this out.
Disable browser extensions. Auto-refreshers, header modifiers, and price trackers can quietly generate extra requests. Turn extensions off one at a time and reload to find the culprit.
Clear cache and cookies. Stale or corrupted stored data can cause request conflicts. Clearing them for the affected site often helps.
If you regularly share a heavily used public IP and want a cleaner outgoing address for privacy reasons, a reputable VPN or a residential connection can give you a different IP. For a broader look at proxy-related HTTP status codes, our guide to the most common HTTP proxy errors pairs well with this one.
Fixing Error 1015 When You're Collecting Data or Testing
If you build tools that access websites — for public-data research, QA against your own properties, price monitoring on data you're allowed to gather, or automated testing — 1015 is a signal that your request pace is too aggressive for the target's rules. The fix is to behave more like a considerate client, not to disguise what you're doing. Working within each site's terms of service and its robots.txt guidance is both the compliant and the sustainable approach.
Here's what actually reduces 1015 errors:
Slow down and add delays. The simplest, most effective change. Introduce pauses between requests and randomise them slightly so you don't produce a robotic, evenly-spaced pattern. Concurrency limits matter as much as raw rate.
Respect the published limits. Many sites document acceptable request rates or offer an official API. Using a supported API is almost always faster, cleaner, and more reliable than scraping the rendered HTML.
Distribute load across ethical rotating proxies. A proxy server makes requests on your behalf from its own IP. Routing traffic through a pool of addresses spreads the load so no single IP crosses a per-IP threshold. Ethically sourced residential proxies come from real consumer connections, so they represent genuine, geographically diverse traffic rather than a block of identical datacenter addresses.
Handle retries gracefully. When you do get a 1015 or a 429, back off exponentially rather than retrying immediately. Our write-up on fixing failed Python requests covers retry and backoff strategies in detail.
Why Proxy Quality Matters
Free proxy lists are a false economy here. Those IPs are shared, abused, and frequently already flagged, so they generate more errors, not fewer. For serious, legitimate data work you want a clean pool and reliable rotation.
Evomi offers ethically sourced, Swiss-based proxies across the main types — residential from $0.49/GB, datacenter from $0.30/GB, mobile from $2.2/GB, and static ISP from $1/IP — with free trials on residential, mobile, and datacenter plans so you can test how they perform on your own tasks before committing. You can check any exit IP's geolocation with the free tool at geo.evomi.com to confirm you're landing where you expect.
Setting Sensible HTTP Headers
Every request carries headers describing the client. A common mistake in automated tooling is leaving headers inconsistent or missing entirely — for example, a browser-like User-Agent with no matching Accept-Language or Accept headers. That mismatch looks nothing like a real browser and can contribute to a rule triggering.
Set realistic, current headers that agree with each other, and keep them consistent within a session rather than randomly shuffling values that don't belong together. The goal is honest, well-formed requests — not disguise. If you'd rather not manage all of this by hand, a managed headless browser service handles a real Chromium fingerprint for you.
Using a Managed Browser or Scraping API
Juggling proxy rotation, headers, retries, and rendering by hand gets fiddly fast. A managed browser can absorb most of that complexity. Evomi's Scraping Browser is a cloud-hosted headless Chromium you connect to over wss://browser.evomi.com; it's compatible with Playwright and Puppeteer, so your existing automation code works with minimal changes. It renders JavaScript-heavy pages the way a real browser does and routes through the proxy network for you.
Whichever tool you use, the responsible pattern is the same: rate your requests to what the site can comfortably serve, obey robots.txt and the site's terms, and only collect data you're permitted to access.
Fixing Error 1015 as a Website Owner
If your own legitimate visitors are hitting 1015, your rate-limiting rules are probably too tight or too broad. In the Cloudflare dashboard you can:
Raise the threshold. If normal browsing trips the limit, allow more requests per window.
Shorten the block duration. A 10-second timeout is far less painful for real users than a 24-hour lockout and still deters abuse.
Tighten the matching criteria. Point rules at the specific paths or methods that actually get abused (like login endpoints) instead of blanketing the whole site.
Prune old rules. Delete outdated or overlapping rules that may be conflicting.
Scale your capacity. If genuine traffic surges are the real cause, make sure your hosting has headroom, and optimise your pages so each view needs fewer requests.
Contact Cloudflare support. If configuration changes don't resolve it, their team can help review your setup.
Related Cloudflare Errors
1015 is one of a family of Cloudflare block pages, each with its own cause. If you're troubleshooting proxy setups, it's worth knowing the neighbours: Error 1020 (access denied) comes from a firewall rule rather than rate limiting, and Error 1010 relates to browser signature checks. Matching the exact code to its cause saves a lot of guesswork.
Wrapping Up
Cloudflare Error 1015 is a rate-limiting response, not a permanent ban. As a visitor, patience plus a quick check of your network, extensions, and cache usually clears it. As a developer working with public data or your own systems, the durable fix is to slow down, respect each site's rules and API, distribute traffic across clean ethical proxies, and retry gracefully. And as a site owner, a few dashboard tweaks will keep the protection without shutting out the people you actually want to serve.
Cloudflare sits in front of a huge chunk of the web as a content delivery network and security layer, which means its error pages show up on all sorts of sites. Error 1015 is one of the more common ones you'll run into: it's a rate-limiting message telling you that too many requests came from your IP address in a short window.
That's annoying whether you're a shopper trying to check out, a QA engineer running automated tests against a site you own, or a researcher collecting public data at scale. The good news is that 1015 is almost always fixable once you understand what tripped it. Let's walk through the causes and the fixes for each type of user.
What Cloudflare Error 1015 Actually Means
Error 1015 ("You are being rate limited") means the number of requests coming from a single IP address has crossed a limit that the website owner configured in Cloudflare within a set time window. It isn't a permanent ban and it isn't tied to your account — it's tied to your IP and the pace of your requests.
Rate limiting is a defensive feature. It protects sites from being overwhelmed by traffic from a single source, whether that's a misbehaving script, a runaway browser extension, or a genuine denial-of-service attack. Cloudflare monitors both the total volume of requests and the timing between them from each IP. When an address sends too much, too fast, access to the protected resource is temporarily paused.
How Long the 1015 Block Lasts
The duration is set by the website owner, not by Cloudflare's defaults, and it can range from about 10 seconds up to a full 24 hours (86,400 seconds). The exact options available depend on the owner's Cloudflare plan. In practice, most consumer-facing sites use short windows — a minute or two — because they don't want to lock out real customers.
Separately, Cloudflare enforces a global rate limit on its own API: roughly 1,200 requests per user every 5 minutes. Blow past that and further API calls are blocked for the next 5 minutes. If you're building against the Cloudflare API rather than browsing a site, that's the ceiling to watch.
How Cloudflare Rate Limiting Works
Rate limiting is applied at the application layer rather than the web server itself, which is why a service like Cloudflare can manage it on the owner's behalf. The system watches which IPs are making requests, how many they're making, and how tightly spaced those requests are. An IP that fires a burst of identical requests in a fraction of a second looks very different from a person clicking through pages.
A typical Cloudflare rate-limiting rule has three parts:
Request matching criteria — which requests the rule applies to, based on things like the URL path, HTTP method (GET, POST, and so on), the scheme, or the response code from the origin.
Rate matching criteria — the threshold: how many requests are allowed from one source within a given period.
Mitigation action — what happens when the threshold is crossed, such as issuing a challenge or a temporary block, and for how long.
Fixing Error 1015 as a Regular Visitor
If you hit 1015 while just browsing, you almost certainly aren't the problem — something upstream is generating too many requests. Try these in order:
Wait it out. The message tells you a duration for a reason. Blocks are often temporary and clear on their own within a minute or two. If you weren't hammering the site, this usually fixes it.
Check your network. On shared connections — office, campus, public Wi-Fi — you share a public IP with everyone else. Their combined traffic can trip the limit. Switching to mobile data or a different network gives you a fresh IP.
Scan for malware. Occasionally, software on your machine sends background requests you never authorised. A reputable anti-malware scan can rule this out.
Disable browser extensions. Auto-refreshers, header modifiers, and price trackers can quietly generate extra requests. Turn extensions off one at a time and reload to find the culprit.
Clear cache and cookies. Stale or corrupted stored data can cause request conflicts. Clearing them for the affected site often helps.
If you regularly share a heavily used public IP and want a cleaner outgoing address for privacy reasons, a reputable VPN or a residential connection can give you a different IP. For a broader look at proxy-related HTTP status codes, our guide to the most common HTTP proxy errors pairs well with this one.
Fixing Error 1015 When You're Collecting Data or Testing
If you build tools that access websites — for public-data research, QA against your own properties, price monitoring on data you're allowed to gather, or automated testing — 1015 is a signal that your request pace is too aggressive for the target's rules. The fix is to behave more like a considerate client, not to disguise what you're doing. Working within each site's terms of service and its robots.txt guidance is both the compliant and the sustainable approach.
Here's what actually reduces 1015 errors:
Slow down and add delays. The simplest, most effective change. Introduce pauses between requests and randomise them slightly so you don't produce a robotic, evenly-spaced pattern. Concurrency limits matter as much as raw rate.
Respect the published limits. Many sites document acceptable request rates or offer an official API. Using a supported API is almost always faster, cleaner, and more reliable than scraping the rendered HTML.
Distribute load across ethical rotating proxies. A proxy server makes requests on your behalf from its own IP. Routing traffic through a pool of addresses spreads the load so no single IP crosses a per-IP threshold. Ethically sourced residential proxies come from real consumer connections, so they represent genuine, geographically diverse traffic rather than a block of identical datacenter addresses.
Handle retries gracefully. When you do get a 1015 or a 429, back off exponentially rather than retrying immediately. Our write-up on fixing failed Python requests covers retry and backoff strategies in detail.
Why Proxy Quality Matters
Free proxy lists are a false economy here. Those IPs are shared, abused, and frequently already flagged, so they generate more errors, not fewer. For serious, legitimate data work you want a clean pool and reliable rotation.
Evomi offers ethically sourced, Swiss-based proxies across the main types — residential from $0.49/GB, datacenter from $0.30/GB, mobile from $2.2/GB, and static ISP from $1/IP — with free trials on residential, mobile, and datacenter plans so you can test how they perform on your own tasks before committing. You can check any exit IP's geolocation with the free tool at geo.evomi.com to confirm you're landing where you expect.
Setting Sensible HTTP Headers
Every request carries headers describing the client. A common mistake in automated tooling is leaving headers inconsistent or missing entirely — for example, a browser-like User-Agent with no matching Accept-Language or Accept headers. That mismatch looks nothing like a real browser and can contribute to a rule triggering.
Set realistic, current headers that agree with each other, and keep them consistent within a session rather than randomly shuffling values that don't belong together. The goal is honest, well-formed requests — not disguise. If you'd rather not manage all of this by hand, a managed headless browser service handles a real Chromium fingerprint for you.
Using a Managed Browser or Scraping API
Juggling proxy rotation, headers, retries, and rendering by hand gets fiddly fast. A managed browser can absorb most of that complexity. Evomi's Scraping Browser is a cloud-hosted headless Chromium you connect to over wss://browser.evomi.com; it's compatible with Playwright and Puppeteer, so your existing automation code works with minimal changes. It renders JavaScript-heavy pages the way a real browser does and routes through the proxy network for you.
Whichever tool you use, the responsible pattern is the same: rate your requests to what the site can comfortably serve, obey robots.txt and the site's terms, and only collect data you're permitted to access.
Fixing Error 1015 as a Website Owner
If your own legitimate visitors are hitting 1015, your rate-limiting rules are probably too tight or too broad. In the Cloudflare dashboard you can:
Raise the threshold. If normal browsing trips the limit, allow more requests per window.
Shorten the block duration. A 10-second timeout is far less painful for real users than a 24-hour lockout and still deters abuse.
Tighten the matching criteria. Point rules at the specific paths or methods that actually get abused (like login endpoints) instead of blanketing the whole site.
Prune old rules. Delete outdated or overlapping rules that may be conflicting.
Scale your capacity. If genuine traffic surges are the real cause, make sure your hosting has headroom, and optimise your pages so each view needs fewer requests.
Contact Cloudflare support. If configuration changes don't resolve it, their team can help review your setup.
Related Cloudflare Errors
1015 is one of a family of Cloudflare block pages, each with its own cause. If you're troubleshooting proxy setups, it's worth knowing the neighbours: Error 1020 (access denied) comes from a firewall rule rather than rate limiting, and Error 1010 relates to browser signature checks. Matching the exact code to its cause saves a lot of guesswork.
Wrapping Up
Cloudflare Error 1015 is a rate-limiting response, not a permanent ban. As a visitor, patience plus a quick check of your network, extensions, and cache usually clears it. As a developer working with public data or your own systems, the durable fix is to slow down, respect each site's rules and API, distribute traffic across clean ethical proxies, and retry gracefully. And as a site owner, a few dashboard tweaks will keep the protection without shutting out the people you actually want to serve.

Author
Sarah Whitmore
Digital Privacy & Cybersecurity Consultant
About Author
Sarah is a cybersecurity strategist with a passion for online privacy and digital security. She explores how proxies, VPNs, and encryption tools protect users from tracking, cyber threats, and data breaches. With years of experience in cybersecurity consulting, she provides practical insights into safeguarding sensitive data in an increasingly digital world.



