sfw/fix
Error 1009 high

Cloudflare Error 1009: Access Denied — country or region banned

A Cloudflare geo rule blocked the visitor's country before the request reached your origin, returning a 403.

What you see

Access Denied: Country or region banned
Error 1009
You do not have access to www.example.com.
The site owner may have set restrictions that prevent you from accessing the site.

What’s actually happening

Visitors from specific countries get a Cloudflare-branded 403 page instead of your site, while everyone else loads it fine. The request never touches your origin, so your server logs show nothing for those users. It frequently surfaces from support tickets — a customer traveling abroad, a VPN exit node, or a remote contractor in a region you didn't mean to block. Datacenter IP ranges (AWS, GCP) often geolocate to unexpected countries and get caught too.

Common causes

  • A WAF custom rule with an expression like (ip.geoip.country eq "CN") and a Block action.
  • A legacy IP Access Rule scoped to a country/region set to Block.
  • A country added to a block list during an attack and never removed afterward.
  • A VPN or proxy whose exit IP geolocates to a banned country even though the real user isn't there.
  • Cloud/datacenter IPs (CI runners, monitoring, server-side fetches) that map to a region on the block list.

How to fix it

  1. Find the rule that's blockingIn the Cloudflare dashboard go to Security > Events (or Security > WAF), filter Action = Block, and look at the Country and the Rule that fired. That tells you whether it's a custom WAF rule or a legacy IP Access Rule, and which country code is on the list.
  2. Narrow or delete the country blockEdit Security > WAF > Custom rules (or Security > WAF > Tools > IP Access Rules for the legacy version) and remove the offending country, or change the action from Block to Managed Challenge so real users can prove themselves while bots still get stopped.
  3. Allowlist the specific IPs you needIf you can't reopen the whole country, add an IP Access Rule with Action = Allow for the customer's IP, your monitoring IPs, or your CI ranges. Allow rules are evaluated before block rules.
  4. Re-check after attack mitigationCountry blocks added during a DDoS or credential-stuffing wave are easy to forget. After the incident, audit Security > WAF for any geo Block rules and scope them down to the paths actually under attack (e.g. only /login) instead of the whole site.

Stop it recurring

Prefer Managed Challenge over outright Block for geo rules, and review country-block rules after every incident so temporary bans don't become permanent.

Related errors

Cloudflare Error 1012: Access Denied

high

Cloudflare blocked the visitor's IP or network over detected malicious activity, returning a 403 before the origin.

Cloudflare Error 1014: CNAME Cross-User Banned

high

A CNAME points to a hostname in a different Cloudflare account, which Cloudflare refuses to resolve by default.

AWS WAF 403 Forbidden — "Request blocked"

high

An AWS WAF rule matched the request and returned the default 403 block before it reached your application.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.