Inconsistent error 403 when using Tor

Hey, first off, I’m sorry if this is not actually a Cloudflare issue, but it’s been driving me crazy and I can’t seem to figure out what’s causing it.

So, a couple days ago, some elements on my website started refusing to load with a 403 error, yet when you load them directly, everything works fine. (ex. embedded image doesn’t load, yet when you actually go to the image’s URL, it loads normally) - This all only seems to happen when you’re accessing it via Tor, too. Yet I haven’t changed anything either on my end, or Cloudflare’s end, it just suddenly started happening. Not only that, after a couple hours of me trying to fix it, without doing anything, the error seemed to have disappeared with one refresh of the page, yet when you refreshed again, it’s back – and that’s how it’s been since that. Sometimes it takes a couple refreshes, sometimes it works a couple times in a row. I’ve tried on multiple devices and networks, and it is always like that.

Here’s some other info that might help:

  • I’m using Full (Strict) encryption
  • No IPs blocked on my server’s end or CF’s firewall
  • I run my website on my own home server – not a hosting provider issue
  • HSTS enabled (Max-Age: 6 months)
  • Opportunistic Encryption on
  • CF Onion routing on (tried disabling, does nothing)
  • Tried purging the entire cache, did nothing

Thanks for any help in advance! :slight_smile:


Tor IP addresses are assigned to users dynamically, and an user with a bad reputation may have just used the same IP that someone who doesn’t deserve that reputation is using now. Cloudflare updates its threat score constantly, and based on your description I’d guess that perhaps when you connect via Tor you may at times be getting an exit node IP address that is associated with a high threat score, and that’s probably what’s triggering Cloudflare’s protection.

When you go back after a couple hours, you may get a different IP, hence the inconsistent behavior.

As to what may be causing an embedded image not to load while the same image loads when accessed directly, could it be you are using page rules with different Security Level settings for different URL patterns?

1 Like

You were right, thanks! :slight_smile:

I just needed to check the firewall log, which i didn’t think to do for some reason (I do feel very stupid right now).

As for the embedded image thing, I don’t have any page rules doing that at the moment. But it turns out CF doesn’t restrict access to the website with a captcha when the user has a high threat score IP, but it does block the elements. Which is, again, weird but at least it is a step towards the solution.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.