sfw/fix
Error 1012 high

Cloudflare Error 1012: Access Denied

Cloudflare blocked the visitor's IP or network over detected malicious activity, returning a 403 before the origin.

What you see

Access Denied
Error 1012
This website is using a security service to protect itself from online attacks.
The action you just performed triggered the security solution.

What’s actually happening

A specific visitor or network gets a 403 Access Denied from Cloudflare, often intermittently, while most traffic is fine. It tracks to the client's IP reputation rather than what they typed — the same person may load the site fine from their phone's cellular connection but not their office Wi-Fi. Shared office, university, or carrier-grade NAT addresses get hit because one bad actor behind that IP poisoned its reputation. Your origin logs stay empty for the blocked requests.

Common causes

  • A malware-infected machine elsewhere on the visitor's network has driven up that IP's Cloudflare threat score.
  • An IP Access Rule on the zone explicitly blocks the visitor's IP or ASN.
  • Browser Integrity Check or a high Security Level flags the request as automated.
  • The visitor is behind a shared/CGNAT IP whose reputation was ruined by someone else.
  • A user-agent or header pattern that looks like a bot or scraper to Cloudflare's heuristics.

How to fix it

  1. Confirm it's IP/reputation, not geoError 1012 is about the client's IP and detected activity, not its country (that's 1009). In Security > Events, filter on the visitor's IP to see whether an IP Access Rule, the threat score, or Browser Integrity Check is the source.
  2. Allowlist the legitimate IP or networkAdd an IP Access Rule with Action = Allow for the affected IP or ASN under Security > WAF > Tools. This overrides reputation-based blocking for that source. For a known office, allowlist the egress IP range.
  3. Lower Security Level or disable Browser Integrity Check on affected pathsIf many real users are caught, drop the zone (or a path-scoped config) from High to Medium under Security > Settings, or turn off Browser Integrity Check. Use a Configuration Rule to limit the relaxation to the specific routes that need it.
  4. Tell the visitor to clean their networkWhen it's one user, the honest answer is often a malware scan: an infected device on their LAN is dragging the shared IP's reputation down. A full antivirus sweep, or switching networks, clears it. Cloudflare support cannot override a customer's own security settings, so the site owner has to allowlist.

Stop it recurring

Allowlist your own offices, partners, and monitoring IPs up front, and avoid blanket High security levels that punish shared-IP users for their neighbors' behavior.

Related errors

Cloudflare Error 1009: Access Denied — country or region banned

high

A Cloudflare geo rule blocked the visitor's country before the request reached your origin, returning a 403.

Cloudflare Error 1014: CNAME Cross-User Banned

high

A CNAME points to a hostname in a different Cloudflare account, which Cloudflare refuses to resolve by default.

AWS WAF 403 Forbidden — "Request blocked"

high

An AWS WAF rule matched the request and returned the default 403 block before it reached your application.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.