HTTP 400-499 errors

Hi, i have had a scan of my site and it came up with this HTTP 400-499 errors my site is in2town.co.uk and i do not understand why this has happened or how to solve it. I have never seen this status code before.

I did the scan through Bing webmaster console. I am not seeing my site receive many impressions through bing which is strange and this may be the problem of the HTTP 400-499 error.

I have been given the following information

The body of the page does say…

Why have I been blocked?

This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution.

Suggests the ‘firewall’ blocked the program you used to do the ‘scan’, just like it blocked the one I used!

Well the title of the page does say

Attention Required! | Cloudflare

So it seems that it most likely a block in Cloudflare .

When i contacted cloudflare customer support they sent me the following, but i am really confused as i am not that technical. can anyone please explain what i need to do and what damage this is causing my site

Thank you for contacting Cloudflare Support. Sorry for the issues you are facing.

You can search for a blocked or challenged request in the Firewall app under the Overview tab in the Firewall Events section of your Cloudflare Dashboard.

Understanding Cloudflare Firewall Analytics

The Cloudflare WAF contains mainly 2 packages:

  • Cloudflare Managed Ruleset: These rules are managed by Cloudflare WAF Engineers. For “security reasons”, we don’t provide the rule patterns as this would increase the likelihood that a malicious party could learn to bypass the rules.
  • OWASP ModSecurity Core Rule Set: These rules are not managed by Cloudflare . They are created by the OWASP Group and Cloudflare integrates with this OWASP package as part of our WAF for additional security. If you would like to know why an OWASP rule has triggered, you can review the rules (expressions and sensitivity score) in the GitHub repository in this link.

If you’re encountering false positive due to the legacy WAF, there are 6 actions that you could take here:

  1. Add the IP(s) doing the request to the IP Access Rules in the allowlist, if the users connecting to your backend are always using the same IP address.
    This is the best solution as it does not affect the site security.
    How do I control IP access to my site?

  2. Disable the affected WAF rule(s)
    This will reduce the security of the site, but will stop the requests from getting blocked/challenged.
    How do I configure the WAF?

  3. Bypass the WAF with a Firewall Rule
    You can create a Firewall Rule with the bypass action for the WAF to be deactivated for a specific combination of parameters. You could for example only bypass the WAF for a specific URL and a specific IP or user-agent:
    https://developers.cloudflare.com/firewall/cf-firewall-rules/actions/

  4. Disable the Web Application Firewall from the requested endpoint (not recommended!)
    This will result in lower security, as the WAF will no longer be applicable on that location.
    This action is done by using Page Rules:
    Understanding and Configuring Cloudflare Page Rules (Page Rules Tutorial)

  5. If the rule blocking is 981176 (legacy OWASP) or 949110 (new OWASP), it means it was blocked by the OWASP rules. You need then to decrease the OWASP sensitivity: a request was blocked by rule 981176, what does that mean?. If decreasing the OWASP sensitivity doesn’t solve the issue, you might need to apply one of the other actions described above (1, 2, 3 or 4).

  6. [Enterprise only feature] Use Waf Overrides API
    There is a way to disable one WAF rule for a specific URI. The feature is known as the URI-Controlled WAF. Please follow this link on how to configure this feature.

If you’re encountering false positive due to the new WAF, there are two actions that you could take here:

  1. Add WAF Exception
    You can define WAF exceptions in the Cloudflare dashboard or using the Rulesets API.

  2. If the rule blocking is 949110 (new OWASP), it means it was blocked by the OWASP rules. You need then to decrease the OWASP Anomaly Score Threshold or lower the OWASP Paranoia Level .

can anyone please help me

Did you do this?

Which one of the errors are you getting (scroll to the error or errors you are receiving for the cause and/or troubleshooting information, all information comes from https://support.cloudflare.com/hc/en-us/articles/115003014512-4xx-Client-Error)

400 Bad Request (RFC7231)

Server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

401 Unauthorized ( RFC 7235 )

The request was not sent with the proper authentication credentials

  • Server must send with at least one challenge in the form of a WWW-Authenticate header field according to section 4.1
  • Client may send a second request with the same credentials and then if the challenge is identical to the one before, an entity will be provided by the server to help the client find what credentials are needed.

403 Forbidden ( RFC7231 )

If you’re seeing a 403 error without Cloudflare branding, this is always returned directly from the origin web server, not Cloudflare, and is generally related to permission rules on your server. The top reasons for this error are: 1. Permission rules you have set or an error in the .htaccess rules you have set 2. Mod_security rules. 3. IP Deny rules Since Cloudflare can not access your server directly, please contact your hosting provider for assistance with resolving 403 errors and fixing rules. You should make sure that Cloudflare’s IPs aren’t being blocked.

Cloudflare will serve 403 responses if the request violated either a default WAF rule enabled for all orange-clouded Cloudflare domains or a WAF rule enabled for that particular zone. Read more at What does the Web Application Firewall do? Cloudflare will also serve a 403 Forbidden response for SSL connections to sub/domains that aren’t covered by any Cloudflare or uploaded SSL certificate.

If you’re seeing a 403 response that contains Cloudflare branding in the response body, this is the HTTP response code returned along with many of our security features:

  • Web Application Firewall challenge and block pages
  • Basic Protection level challenges
  • Most 1xxx Cloudflare error codes
  • The Browser Integrity Check
  • If you’re attempting to access a second level of subdomains (eg- *.*.example.com ) through Cloudflare using the Cloudflare-issued certificate, a HTTP 403 error will be seen in the browser as these host names are not present on the certificate.
    Origin server was unable or unwilling to find the resource requested. This usually means the host

404 Not Found ( RFC7231 )

Origin server was unable or unwilling to find the resource requested. This usually means the host server could not find the resource. To serve a more permanent version of this error one should use a 410 error code.

These errors typically occur when someone mistypes a URL on your site when there is a broken link from another page, when a page that previously existed is moved or removed, or there is an error when a search engine indexes your site. For a typical site, these errors account for approximately 3% of the total page views, but they’re often untracked by traditional analytics platforms like Google Analytics.

Website owners usually implement a custom page to be served when this error is generated.

Cloudflare does not generate 404s for customer websites, we only proxy the request from the origin server. When seeing a 404 for your Cloudflare powered site you should contact your hosting provider for help.

405 Method Not Allowed ( RFC7231 )

Origin server is aware of the requested resource, but the request method used is not supported.

  • Origin server must also provide an Allow header with a list of supported targets for that resource.

An example would be a POST on an unchangeable resource the thus only accepts GET.

406 Not Acceptable ( RFC7231 )

Resource is not available at the origin that adheres to negotiation headers that were set prior (e.g. via Accept-Charset and Accept-Language headers)

This status code can be replaced by simply serving the less preferred method to the User-Agent in lieu of generating this error.

407 Authentication Required ( RFC 7235 )

The client did not send the required authentication with the request.

408 Request Timeout ( RFC7231 )

The origin server did not receive the complete request in what it considers a reasonable time.

  • Implied the server does not wish to wait and continue the connection.
  • Not used much because servers typically choose to use the “close” connection option.

409 Conflict ( RFC7231 )

The request did not complete because of a conflict with the current state of the resource. Typically happens on a PUT request where multiple clients are attempting to edit the same resource.

  • The server should generate a payload that includes enough information for the client to recognize the source of the conflict.
  • Clients can and should retry the request again

Cloudflare will generate and serve a 409 response for a Error 1001: DNS Resolution Error.

Note: Error 402 is not covered since it’s implemented by RFC standards yet (but rather reserved for future use)

However, I don’t see any error code when I load up your website

So this maybe an issue on your end, you should try viewing error analytics to do follow the steps below

  • Navigate to the Cloudflare support portal. Refer to instructions about filing a support ticket for information on how to reach the support portal.
  • Scroll down to the Error Analytics section.
  • Click Visit Error Analytics .
  • Enter the domain to investigate.
  • A graph of Errors over time is displayed.
  • Click on a status code in the table beneath the graph to expand traffic error details.

Once you have done that, provide a screenshot of the error analytics (and any HTTP status code from 400-409, with the exception of 402 since it’s not yet in use).

Hi, when i go into my bing webmaster tools to do a site scan, it comes up with ERROR : HTTP 400-499 errors and will not go past the first page.

someone tried to do a test and said this
Ah, right. I’ve just tried your homepage in a test crawler, and got a 403

So you are receiving a “forbidden” error? As mentioned above if you’re seeing a 403 error without Cloudflare branding, this is always returned directly from the origin web server, not Cloudflare, and is generally related to permission rules on your server. The top reasons for this error are: 1. Permission rules you have set or an error in the .htaccess rules you have set 2. Mod_security rules. 3. IP Deny rules Since Cloudflare can not access your server directly, please contact your hosting provider for assistance with resolving 403 errors and fixing rules. You should make sure that Cloudflare’s IPs aren’t being blocked.

Cloudflare will serve 403 responses if the request violated either a default WAF rule enabled for all orange-clouded Cloudflare domains or a WAF rule enabled for that particular zone. Read more at What does the Web Application Firewall do? Cloudflare will also serve a 403 Forbidden response for SSL connections to sub/domains that aren’t covered by any Cloudflare or uploaded SSL certificate.

If you’re seeing a 403 response that contains Cloudflare branding in the response body, this is the HTTP response code returned along with many of our security features:

  • Web Application Firewall challenge and block pages
  • Basic Protection level challenges
  • Most 1xxx Cloudflare error codes
  • The Browser Integrity Check
  • If you’re attempting to access a second level of subdomains (eg- *.*.example.com ) through Cloudflare using the Cloudflare-issued certificate, a HTTP 403 error will be seen in the browser as these host names are not present on the certificate.

i thank you. i have just done that and it shows the following


not sure why it mentions slow when my site speed is normally 1.4 seconds. however, i have just tested it now as i test it twice a day and the speed is currently 3.1 which is so strange as it is never that slow. but, this problem above i have been trying to sort out for a few weeks

According to the screenshot you provided to me, you are getting error 524 most of the time (out of all errors that were provided in the screenshot) below are the troubleshooting steps for the 524 error.

Error 524: a timeout occurred

Error 524 indicates that Cloudflare successfully connected to the origin web server, but the origin did not provide an HTTP response before the default 100 second connection timed out.

Enterprise customers can increase the 524 timeout up to 6000 seconds using the proxy_read_timeout API endpoint.

Resolution Contact your hosting provider to exclude the following common causes at your origin web server:

  • A long-running process on the origin web server.
  • An overloaded origin web server.

Logging request response time at your origin web server helps identify the cause of resource slowness. Contact your hosting provider or site administrator for assistance in adjusting log formats or search for related logging documentation for your brand of web server such as Apache or Nginx.

If you regularly run HTTP requests that take over 100 seconds to complete (for example large data exports), move those processes behind a subdomain not proxied (grey clouded) in the Cloudflare DNS app.

If error 524 occurs for a domain using Cloudflare Railgun, ensure the lan.timeout is set higher than the default of 30 seconds and restart the railgun service.

Troubleshooting steps for the other errors can be found at https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors-Error#500error and https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors-Error#520error

Hi, i am a PRO customer. Sorry i am not very technical minded. Why is there a timeout problem. What should i be saying to my hosting company. i really do not understand why this is happening. i thought by using cloudflare it would make everthing faster and cause no problems. one person said that they came across this

Attention Required! | Cloudflare

Error 524 indicates that Cloudflare successfully connected to the origin web server, but the origin did not provide an HTTP response before the default 100 second connection timed out.

Resolution Contact your hosting provider to exclude the following common causes at your origin web server:

  • A long-running process on the origin web server.
  • An overloaded origin web server.

Logging request response time at your origin web server helps identify the cause of resource slowness. Contact your hosting provider or site administrator for assistance in adjusting log formats or search for related logging documentation for your brand of web server such as Apache or Nginx.

If you regularly run HTTP requests that take over 100 seconds to complete (for example large data exports), move those processes behind a subdomain not proxied (grey clouded) in the Cloudflare DNS app.

If error 524 occurs for a domain using Cloudflare Railgun, ensure the lan.timeout is set higher than the default of 30 seconds and restart the railgun service.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.