Cloudflare Error 1010: Access denied (browser signature banned)

What’s actually happening

You hit a full Cloudflare error page with code 1010 in the corner and "Access denied" as the headline. A normal browser on a normal connection usually loads the site fine, but Selenium, Puppeteer, Playwright, a curl/Python request, or a privacy browser with a spoofed user-agent gets the 1010 wall. The block is instant — no challenge, no CAPTCHA, just denied. Refreshing or changing IP doesn't help because it's the browser signature, not the address, that tripped it.

Common causes

• Headless automation (Selenium, Puppeteer, Playwright) where the browser fingerprint or User-Agent gives away the automation (e.g. HeadlessChrome in the UA, missing navigator properties)
• HTTP clients like curl, Python requests, Go http, or scraping libraries that send minimal or malformed headers and no JavaScript runtime
• A spoofed or inconsistent User-Agent — claiming to be Chrome while missing the headers a real Chrome sends (Accept-Language, sec-ch-ua, etc.)
• Aggressive privacy extensions, anti-fingerprinting browsers, or a VPN/proxy whose traffic looks automated
• The site owner enabled Browser Integrity Check, which inspects every request's headers against Cloudflare's bad-signature ruleset

How to fix it

1. If you're a visitor, open the site in a clean, normal browserUse up-to-date Chrome, Firefox, Edge, or Safari with no automation flags and no fingerprint-spoofing extensions. Turn off the VPN or switch exit nodes. 1010 keys off the browser signature, so a stock browser on a stock connection is the fastest test of whether you're actually banned or just look like a bot.
2. If you're automating, make the browser look realDrop raw headless mode. Use puppeteer-extra-plugin-stealth or playwright-stealth, set a current real User-Agent that matches the rest of your headers, and run headful or with the headless detection patched. Better: stop scraping a site that doesn't want it, or use the owner's API.
3. If you own the site, turn off Browser Integrity CheckCloudflare dashboard, Security, Settings, find Browser Integrity Check and toggle it off (or scope it). In newer accounts this lives under Security, Security rules / WAF managed rules. BIC is a blunt instrument — disabling it removes the 1010 entirely for everyone.
4. Whitelist the legitimate signature or path instead of killing BIC globallyIf only your own monitor/scraper/health-check is getting 1010, add a WAF custom rule or IP Access Rule to Allow that specific User-Agent, IP, or path, so you keep BIC on for the rest of the world.
5. Confirm it's 1010 and not a sibling error1010 is specifically the browser-signature block. If the code is 1006/1007/1008 it's an IP/country/custom-rule ban, 1015 is rate limiting, and 1020 is a firewall Access Rule. The fix differs for each, so read the code in the corner before changing anything.