← Glossary / Cloudflare Error 1015 (Rate Limited)

What is Cloudflare Error 1015 (Rate Limited)?

Cloudflare Error 1015 (Rate Limited) is an edge-level HTTP response indicating that a client has exceeded the target's configured request threshold within a specific time window. Unlike a standard 429 Too Many Requests, a 1015 is enforced directly by Cloudflare's infrastructure before the request ever reaches the origin server. For scraping pipelines, hitting a 1015 means your concurrency model is misaligned with the target's firewall rules, resulting in dropped data and burned proxy IPs.

CloudflareRate LimitingHTTP 1015ConcurrencyProxy Burn
// 02 — definitions

Too fast,
too furious.

The mechanics of Cloudflare's edge rate limiting, and why brute-forcing concurrency is a guaranteed path to pipeline failure.

Ask a DataFlirt engineer →

TL;DR

A 1015 error means Cloudflare's edge firewall has temporarily banned your IP or session for exceeding a predefined request rate. It is a hard block, not a challenge. Recovering from a 1015 requires immediate backoff and IP rotation, while preventing it requires precise traffic shaping and distributed proxy pools.

01Definition & structure
Cloudflare Error 1015 is a specific HTTP response indicating that the client has triggered a rate-limiting rule configured on Cloudflare's edge network. The response body typically contains an HTML page stating "Error 1015 | You are being rate limited." It is a protective measure designed to prevent brute-force attacks, DDoS attempts, and aggressive scraping. The limit is usually defined as a maximum number of requests per IP address within a rolling time window (e.g., 100 requests per minute).
02How it works in practice
When a request hits a Cloudflare edge node, the firewall evaluates it against active rate-limiting rules. It checks the client's IP, session cookie, or other defined characteristics, and increments a counter in a token bucket. If the counter exceeds the threshold, Cloudflare intercepts the request, blocks it from reaching the origin server, and returns the 1015 error. The block remains active until the penalty period expires, meaning any subsequent requests from that IP will instantly fail.
03The danger of path-specific limits
A common mistake in scraping is assuming rate limits apply uniformly across a domain. Administrators frequently apply strict limits to resource-heavy endpoints (like /api/search or /graphql) while leaving static assets or homepage routes loosely limited. A scraper might successfully fetch 500 product pages but instantly trigger a 1015 when it attempts to paginate through a search API at the same concurrency level.
04How DataFlirt handles it
We treat 1015 errors as a failure of our traffic shaping, not just a network error. Before a pipeline goes into production, our discovery workers profile the target to infer the exact rate limit thresholds per endpoint. We then configure our distributed scheduler to enforce a hard concurrency ceiling per IP, adding a 20% safety buffer. If a 1015 does occur, the offending IP is automatically quarantined in our proxy pool to prevent cascading failures.
05Did you know?
Cloudflare's rate limiting can be configured to trigger based on HTTP response codes from the origin. For example, an administrator can set a rule that bans an IP if it receives more than five 404 Not Found or 401 Unauthorized responses in a minute. This means a scraper with broken selectors or bad credentials can trigger a 1015 block even if its overall request rate is extremely low.
// 03 — the math

Calculating safe
concurrency limits.

Rate limits are typically implemented using a token bucket algorithm. DataFlirt's scheduler models these buckets per target to ensure our distributed workers never trigger a 1015 block.

Token bucket capacity = B = Bmax − (RinRout) · Δt
When B hits 0, Cloudflare drops the request and returns a 1015. Standard traffic shaping algorithm
Safe pipeline concurrency = Csafe = (Limit / Window) · ProxyPoolSize · 0.8
The 0.8 multiplier provides a 20% safety buffer against micro-bursts. DataFlirt scheduler model
Proxy burn rate = Burn = 1015_Count / Active_IPs
A burn rate > 0.05 indicates the pipeline is too aggressive for the pool. DataFlirt infrastructure SLO
// 04 — what the scraper sees

Hitting the wall
at 50 req/s.

A trace of a scraping worker aggressively hitting a search API, triggering a Cloudflare 1015, and the pipeline's automated recovery response.

HTTP/2Cloudflare EdgeTraffic Shaping
edge.dataflirt.io — live
CAPTURED
// worker 04 traffic burst
GET /api/v1/catalog?q=steel 200 OK 45ms
GET /api/v1/catalog?q=iron 200 OK 48ms
GET /api/v1/catalog?q=copper 200 OK 42ms
... 47 requests omitted ...

// threshold exceeded
GET /api/v1/catalog?q=zinc 429 Too Many Requests 12ms
cf-ray: 8daaf6152771-BOM
content-type: text/html
title: "Error 1015 | Rate limited"

// pipeline recovery
event: RATE_LIMIT_DETECTED
action: quarantine_ip(103.45.x.x, 3600s)
action: rotate_proxy_session()
action: apply_backoff(worker_04, 5000ms)
status: resuming with adjusted concurrency
// 05 — rate limit triggers

What trips the
1015 wire.

Cloudflare allows administrators to configure rate limits based on various request characteristics. These are the most common dimensions used to throttle scraping traffic.

SAMPLE SIZE ·  ·  ·  ·    1.2M 1015 events
WINDOW ·  ·  ·  ·  ·  ·   90d trailing
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

IP-based request volume

most common · Simple requests per minute per IP address
02

Path-specific limits

API protection · Strict limits on /search or /login endpoints
03

Session / Cookie volume

auth targeting · Limits tied to a specific user session token
04

ASN concentration

datacenter block · Aggregate limits applied to an entire hosting provider
05

JA3 / Fingerprint clustering

advanced · Enterprise feature limiting by TLS signature
// 06 — our stack

Shape the traffic,

don't fight the firewall.

DataFlirt avoids 1015 errors by profiling a target's rate limits during the discovery phase. We map the exact threshold per path and distribute the load across a residential proxy pool using a jittered token-bucket scheduler. If a 1015 is encountered, the worker immediately quarantines the IP, applies exponential backoff, and re-queues the request. We never burn through proxies just to hit a concurrency target.

Traffic shaping config

Pipeline scheduler settings for a heavily rate-limited Cloudflare target.

target.domain api.retailer.com
cf.inferred_limit 100 req / 1m / IP
scheduler.strategy token_bucketjittered
worker.max_rps 1.2safe buffer
proxy.pool_size 4,500 IPsresidential
error_1015.action quarantine_ip · 1hr
pipeline.burn_rate 0.002

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

Common questions about Cloudflare rate limiting, recovery strategies, and how DataFlirt manages high-throughput pipelines safely.

Ask us directly →
What is the difference between a 1015 and a standard 429 error? +
A standard 429 Too Many Requests is usually generated by the origin server's application logic (e.g., an Nginx limit_req module or an API gateway). A 1015 Rate Limited is generated directly by Cloudflare's edge network before the request reaches the origin. 1015s are often stricter and harder to bypass because they operate at the CDN layer.
How long does a Cloudflare 1015 ban last? +
It depends entirely on the target's configuration. Cloudflare allows administrators to set the timeout period, which typically ranges from 1 minute to 24 hours. For scraping purposes, it's best to assume the IP is burned for at least an hour and rotate immediately rather than waiting it out.
Will rotating my User-Agent fix a 1015 error? +
No. Cloudflare rate limits are primarily enforced by IP address, session cookie, or ASN. Changing your User-Agent while using the same IP will not reset the token bucket. You must rotate your IP address or wait for the penalty window to expire.
How does DataFlirt handle targets with aggressive 1015 limits? +
We scale horizontally. If a target limits IPs to 10 requests per minute, and the client needs 1,000 requests per minute, we distribute the workload across a pool of at least 150 residential IPs. Our scheduler ensures no single IP ever approaches the 10-request threshold, maintaining high aggregate throughput without triggering edge blocks.
Is it legal to bypass rate limits by rotating IPs? +
Bypassing technical barriers like rate limits can violate a website's Terms of Service. In extreme cases, aggressive circumvention that degrades server performance has been argued as a CFAA violation in the US. DataFlirt's policy is to respect rate limits by shaping traffic to safe levels, ensuring our extraction does not harm the target's infrastructure.
Can Cloudflare rate limit based on browser fingerprints? +
Yes. Cloudflare Enterprise customers can configure rate limiting rules based on advanced criteria, including JA3/JA4 TLS signatures, bot management scores, or specific header combinations. If your scraper uses a default Python requests TLS signature, you might hit a 1015 much faster than a request originating from a real Chrome browser.
$ dataflirt scope --new-project --target=cloudflare-error-1015-(rate-limited) READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Anti-Bot Bypass

Cloudflare Bot Management

The broader security suite that often works in tandem with Cloudflare rate limiting.

Read →
Network Layer

Rate Limiting

The general concept of restricting request volume to protect server infrastructure.

Read →
Scraping Errors

HTTP 429 Too Many Requests

The standard HTTP status code for rate limiting, often used by origin servers.

Read →
IP Proxies

IP Cooldown Period

The time an IP must remain inactive before it can safely bypass a rate limit ban.

Read →