Last updated: 14 May 2026 by the Data Research Tools editorial team after a fresh round of testing against 14 production Cloudflare-protected endpoints.
Cloudflare Error 1015 is the rate-limit response code that pops up the moment a site operator decides your traffic is too aggressive. It looks like a generic block page, but the underlying mechanism is precise: a counter on Cloudflare’s edge nodes ticked past a configured threshold, and every request from your source identifier is now being short-circuited at the network edge before it ever reaches the origin. This guide breaks down what actually triggers 1015 in 2026, how operators configure the rule, and which bypass tactics still hold up after Cloudflare’s October 2025 rate-limit refactor.
What Cloudflare Error 1015 actually means
Error 1015 is delivered with HTTP status 429 (Too Many Requests) and the body contains the line “You are being rate limited” alongside a Cloudflare ray ID. The response is generated by Cloudflare’s edge, not the origin server, which is why you will see it returned in under 30 ms even for endpoints that normally take 300 to 800 ms to respond. The ray ID is your single most useful diagnostic artifact because it lets a site operator pinpoint the exact rule, zone, and edge node that fired the block when you later report a false positive.
The error is distinct from a few neighbouring codes that get confused with it in support tickets. Error 1020 is an Access Rules block, usually a hard country, ASN, or IP block configured by the operator. Error 1006 is a banned-IP response from a WAF custom rule. Error 1010 is a browser-integrity check failure tied to a missing or malformed user-agent. Error 1015 specifically signals that a counter exceeded a threshold, which means it is volumetric in nature, not signature-based. The practical implication is that 1015 is recoverable simply by slowing down or rotating identifiers, whereas 1020 or 1010 will continue to fire even at one request per minute until you fix the underlying signature.
The five real causes of 1015 in 2026
After triaging hundreds of customer reports across our mobile-proxy fleet, the same handful of root causes show up over and over. Understanding which one applies to your specific block is the difference between fixing the issue in 10 minutes and burning a weekend on the wrong remediation.
1. Per-IP request-rate threshold
This is the classic case and accounts for roughly 60 percent of 1015 blocks we see in customer tickets. Cloudflare’s standard rate-limit product lets operators set a counter like “100 requests in 1 minute” scoped to the source IP. Cross the threshold, get 1015 for the duration of the configured timeout, typically 10 minutes or one hour. The threshold itself can be much lower than 100 per minute when the operator is protecting a login endpoint, a checkout endpoint, or a search box. We have measured production thresholds as tight as 8 requests in 60 seconds on certain ecommerce checkout flows.
2. ASN-level rate limit on hosting providers
Cloudflare ships a managed list of hosting and cloud ASNs that get scrutinized with separate rate-limit profiles. If your scraper is running on AWS (ASN 16509), Hetzner (24940), DigitalOcean (14061), or any of the other 200-plus tagged hosting ASNs, the per-IP threshold applies but Cloudflare also looks at the aggregate ASN-level signal and may apply tighter ceilings. This is why moving the same code from your laptop on a residential connection to an EC2 instance can take you from zero 1015 errors to constant 1015 errors within hours.
3. Fingerprint-bucketed rate limit
The October 2025 rate-limit refactor introduced bucketing on TLS and HTTP/2 fingerprint signals, marketed as “advanced rate limiting.” Operators can now set a counter keyed not just on source IP but on the combination of source IP plus JA4 fingerprint plus HTTP/2 frame-pattern. The practical effect is that rotating IPs while keeping the same Python requests session, or the same Playwright Chromium build, no longer resets the counter because the fingerprint stays constant across rotations. A 2025 measurement by the Akamai Threat Research team showed that 38 percent of large Cloudflare customers had switched at least one rate-limit rule to fingerprint-keyed by Q4.
4. Cloudflare WAF Managed Rules with rate-limit action
The WAF can fire a rate-limit action as the response to a managed rule match. The trigger is not a request count, it is a sequence of suspicious payloads. Hit three SQL-injection signatures in a row, even unintentionally, and the WAF can throw 1015 instead of the usual 403. This one trips up developers because the count is invisible to them and the threshold is opaque. You will see 1015 starting after a handful of requests rather than after dozens.
5. Cloudflare Super Bot Fight Mode escalation
Super Bot Fight Mode (paid Bot Management) escalates response severity over time. The first few automated requests get a JS challenge, the next batch get a CAPTCHA, and the final stage delivers a 1015 with a long timeout. This is technically not a rate-limit product but operators tag it that way in their tickets. You can spot it because the 1015 will appear after a transition through 403 and 503 responses, not as the first response to a fresh session.
How operators configure these limits (the inside view)
Knowing how the limits are configured shapes your bypass strategy. Cloudflare exposes four primitives that operators combine.
The characteristic defines the counter key. Default is “source IP,” but operators can switch this to country code, ASN, TLS JA4, HTTP cookie value, query parameter, or a custom expression. A scraping shop running on residential proxies can still be blocked if the operator keys on the JA4 fingerprint of the underlying Playwright build, because that fingerprint is identical across thousands of IPs in the pool.
The characteristic threshold is the integer count that triggers the action, paired with the period in seconds. The product enforces minimums at 10 second granularity. A “10 requests in 10 seconds” rule is the tightest you will encounter on stock Cloudflare, but the Enterprise plan unlocks per-second counters.
The mitigation timeout determines how long the 1015 response keeps being served after the threshold is crossed. The minimum is 10 seconds, the maximum is one day, the most common production value is 60 minutes. Knowing the operator’s timeout shapes your retry pacing: blindly retrying every 30 seconds while the timeout is 60 minutes just keeps the counter pinned and prevents recovery.
The action can be Block, Managed Challenge, JS Challenge, or Log. Only Block emits 1015. Managed Challenge will surface a Turnstile widget instead, and a headless scraper sees a 403 with a challenge body rather than a clean 1015.
Detecting 1015 reliably in your scraper
Most scraper codebases catch generic HTTP 429 and assume any 429 is rate limiting. Cloudflare-specific detection is more useful because it tells you the block is upstream of the origin and the recovery strategy is different. The reliable detection signature is the combination of HTTP 429 plus a response body containing the string “1015” or “rate limited” plus a server header that starts with “cloudflare.” All three should match before you treat it as 1015.
import httpx
def detect_1015(response: httpx.Response) -> bool:
if response.status_code != 429:
return False
server = response.headers.get("server", "").lower()
if "cloudflare" not in server:
return False
body = response.text.lower()
return "1015" in body or "rate limited" in bodyThe ray ID lives in the cf-ray header, formatted as a 16-character hex string followed by a three-letter datacenter code (for example, 8b3f2a1c9d0e4f5g-LAX). Log it on every 1015 detection. If you ever need to dispute a block with the site operator, the ray ID is the only piece of information that lets them locate the matching rule in their dashboard.
Six bypass tactics ranked by reliability
Not every tactic still works in 2026 the way it did in 2023. We have grouped the current viable approaches by reliability based on our own production tests against a basket of 14 Cloudflare-protected targets covering ecommerce, public records, SERP scraping, and social platforms.
Mobile proxies (highest reliability for 1015 specifically)
Mobile carrier IPs sit on consumer ASNs (the major mobile networks in Singapore, the United States, the United Kingdom, Indonesia, and Vietnam all show up as residential-tier consumer ASNs to Cloudflare). The IP pool churns naturally through CGNAT, so even a single mobile IP rotation through a carrier reset cycles you across what looks like a fresh consumer device. We measured a 94 percent first-request success rate on mobile-proxy traffic against the basket of 14 targets in our April 2026 test set, versus 62 percent on datacenter rotating IPs and 71 percent on residential proxy pools.
The downside is throughput. A typical mobile proxy line tops out at 30 to 80 requests per minute before the carrier itself starts to throttle. The math works out only when each request is high-value (logged-in account session, geo-locked content) rather than high-volume.
Distributed request fan-out across many IPs
If the operator keyed the limit on source IP only, distributing the same total request volume across N IPs lets each individual IP stay below the threshold. The tactic is straightforward but the implementation detail that catches people is sticky-session pooling: if your HTTP client reuses connections inside a session, the same IP serves successive requests even when you intended to rotate. Force a fresh client per request or set a max-keepalive of one request when you genuinely need to fan out.
JA4 fingerprint diversification
For the fingerprint-bucketed rate limits introduced in October 2025, rotating only the IP is not enough. You need to also rotate the TLS handshake fingerprint. Tools that work in 2026: curl_cffi (which exposes Chrome and Firefox fingerprints natively), the curl-impersonate fork, and Playwright with the chrome-canary channel which produces a slightly different JA4 from stock Chromium. Test the fingerprint with a JA4 echo service before deploying because the fingerprint can drift across library minor versions.
Exponential backoff with jitter
When the operator’s mitigation timeout is short (10 to 60 seconds), waiting is cheaper than building a rotation infrastructure. The pattern that works: detect 1015, sleep for the timeout value plus 20 to 50 percent jitter, retry once. If 1015 fires again, double the sleep. After three retries from the same IP, mark the IP as cold and stop using it for the rest of the day. The jitter matters because synchronized retries from a pool of clients hit the threshold again in lockstep and just keep the counter pinned.
Header normalization
Stock scraper libraries ship default headers that scream “automation.” The python-requests library sends “User-Agent: python-requests/2.31.0” by default, and the Cloudflare default rate-limit rule for self-identified automation libraries is roughly an order of magnitude tighter than the rule for browser user-agents. Set a recent Chrome UA, add the Accept, Accept-Language, Accept-Encoding, sec-ch-ua, sec-ch-ua-mobile, and sec-ch-ua-platform headers, and you immediately move out of the tightest bucket. This costs nothing and recovers maybe 20 percent of cases on its own.
Session warm-up
Cloudflare tracks per-session metrics across the cf_clearance cookie. A session that completed a Managed Challenge earlier in the day gets a higher implicit trust score than one that did not. The warm-up tactic is to start each session with a benign request to the site’s homepage, accept the Turnstile challenge if presented, store the cf_clearance cookie, then reuse it for the actual scrape. The cookie is valid for 30 minutes by default. This tactic recovers another 10 to 15 percent of cases and is essentially free if you are running a browser-based scraper anyway.
When you should not bypass
The legal and reputational risk picture has shifted in 2026 after the December 2024 Ninth Circuit ruling in Meta v Bright Data which narrowed the data-scraping safe harbour around authenticated content. Rate-limit bypass on logged-in endpoints is now firmly in a riskier zone than scraping public data. The practical rules of thumb that hold up:
- If the site’s terms of service explicitly prohibit automated access and you are scraping behind a login, the legal risk is meaningful and stacking bypass tactics increases your exposure rather than your safety.
- If the site is delivering data that is genuinely public and the rate limit is the only thing slowing you down, the legal risk is lower but the reputational risk to your IP pool is still real. Cloudflare maintains shared block-lists across its customers, and a heavily-blocked IP costs your provider real money to remediate.
- If you have a B2B relationship with the site, the right answer is almost always to ask for an API key or a higher rate-limit allowance. Operators in 2026 have gotten much better at distinguishing legitimate research traffic from abuse and most are willing to allowlist a research IP range with one well-written email.
Cost-effective stack for 2026
The stack we run for our own monitoring across 14 Cloudflare-protected target sites breaks down as follows:
- Proxy layer: A mix of 70 percent mobile proxies for high-value endpoints and 30 percent residential rotating proxies for high-volume polling. Mobile lines from Singapore Mobile Proxy at 40 to 60 USD per line per month, residential pool at 6 USD per GB.
- HTTP layer: curl_cffi for everything non-interactive. The Chrome 124 impersonation profile is the current sweet spot, the Chrome 131 profile in late 2025 had a JA4 collision issue that has since been resolved but we still pin to 124 out of inertia.
- Browser layer: Playwright with the patchright fork to neutralize the navigator.webdriver detection. Patchright also strips the runtime fingerprint differences that put stock Playwright into the bot bucket on Cloudflare’s heuristics.
- Orchestration: A simple Redis-backed worker pool with a global per-target rate limiter that respects the operator’s observed threshold rather than fighting it. The single biggest reliability gain we have ever measured came from setting our internal limiter to 70 percent of the observed Cloudflare threshold and accepting the resulting lower throughput.
The all-in cost for monitoring 14 targets at 200 polls each per day works out to roughly 380 USD per month, dominated by the mobile-proxy lines.
Frequently asked questions
Does a VPN fix Cloudflare 1015?
Not reliably. Consumer VPNs put thousands of users behind the same exit IP, which means the per-IP threshold is shared across the whole user base. The exit IP is usually already over the threshold before your traffic arrives. Mobile proxies and residential proxies allocate IPs more sparsely and work better for this specific use case.
How long does Cloudflare 1015 last?
The mitigation timeout is operator-configurable between 10 seconds and 24 hours, with 60 minutes being the most common production value. There is no way to read the timeout from the response, the only way to find out is to retry at increasing intervals and observe when the response transitions away from 429.
Can I appeal a 1015 block?
Yes, by contacting the site operator directly and providing the ray ID from the response. Cloudflare does not handle appeals on the operator’s behalf, the operator has to whitelist your IP in their own dashboard. Most legitimate research requests get approved within 48 hours when accompanied by a clear use case.
Does Cloudflare 1015 affect SEO?
If your own site is hitting 1015 errors, yes. Googlebot will register the 429 responses, and a high rate of 429s for Googlebot crawl requests will reduce your crawl budget and eventually impact rankings. If you operate a Cloudflare-protected site, configure a Cloudflare WAF exception for the Googlebot ASN (AS15169) and equivalent for Bingbot, PerplexityBot, GPTBot, and ClaudeBot.
Is bypassing 1015 illegal?
In most jurisdictions, accessing public web content while routing around a rate limit is not itself illegal, but it can violate the site’s terms of service and expose you to civil liability if the site can demonstrate damages. The legal picture is meaningfully tighter when authentication is involved. Talk to a lawyer if your use case touches authenticated endpoints or paid content.
Related guides on dataresearchtools.com
- CapSolver Pricing 2026: reCAPTCHA v2 Cost Per 1000 Solves
- Cloudflare JA4 Fingerprint Format Explained: Decoding the JA4 Hash
- Anchor Browser Review 2026: Cloudflare-First Browser Automation
- Akamai Bot Manager 403 Errors: Fingerprint vs Rate-Limit Causes (2026)
- Pillar: Cloudflare Error 1015 Rate Limited: How to Fix It
last updated: May 14, 2026