Scrape Like a Pro! Get Your Free API Key

Troubleshooting Cloudflare 1020 Blocks with JMeter and Postman

Mohan Ganesan
Apr 2, 2024 ยท 3 min read

Cloudflare's 1020 error code indicates the request was blocked for potential malicious activity or violating bot protection rules. This can cause headaches when testing APIs with tools like JMeter or Postman. However, with a few tweaks you can get past the blocks and resume testing.

Why Cloudflare Blocks Automated Tools

Cloudflare aims to protect websites from attacks and abuse. Automated tools like JMeter and Postman can sometimes trigger the protections if sending too many requests too quickly or missing browser fingerprints. The 1020 block acts as a caution sign to slow things down.

Adjusting JMeter Settings

Here are some tips for configuring JMeter to avoid triggers:

  • Add HTTP Header Manager - Mimic a real browser by sending User-Agent, Accept-Language, and other headers.
  • Use HTTP Cookie Manager - Maintain and send back cookies like a normal browser.
  • Add HTTP Request Defaults - Set connect and response timeouts to mimic browsers.
  • Use CSV Data Set Config - Rotate through different IP addresses and user agents.
  • Insert Throughput Controllers - Limit overall requests per minute to stay under the radar. Start very low like 10/min and ramp up slowly.

    • Here is an example setup:

    HTTP Header Manager
User-Agent: Mozilla/5.0 Firefox/87.0
Accept-Language: en-US

HTTP Cookie Manager

HTTP Request Defaults
Connect Timeout: 10000
Response Timeout: 60000

CSV Data Set Config
ip_list.csv, user-agents.csv 

Throughput Controller
Max Requests Per Minute: 10

    Postman Settings to Avoid Blocks

    For Postman, enabling the Interceptor can help mimic a real browser:

  • Check "EnableInterceptor" on Settings
  • Select an appropriate Throttling Value
  • Add a Postman Proxy or Rotating Proxy to cycle different IP addresses

    • Also add Variabilities like different User-Agents and Languages. Start with a small runs first before larger load tests.

    Confirm It's a Cloudflare 1020 Block

    Before tweaking settings, confirm the issue is actually a 1020 block using a browser or cURL. For example:

    $ curl -I https://example.com/api/test

HTTP/2 1020 
cache-control: no-cache
content-type: text/html

    The 1020 status code indicates Cloudflare is blocking the request.

    Getting Unblocked After Tweaks

    After adjusting JMeter and Postman settings to mimic a browser, try your tests again starting slowly. The blocks should reduce or go away completely.

    If still blocked, you can contact the target website to whitelist the IP addresses used for testing.

    Caveats to Know

    A few things to keep in mind when troubleshooting 1020 errors:

  • Block durations start small but increase quickly if not throttled.
  • Blocking can be inconsistent even with the same requests.
  • Whitelists may expire without warning.
  • Heavy loads can still trigger blocks even if whitelisted.

    • So always check if you are blocked after making any major changes to tests.

    Key Takeaways

  • Cloudflare 1020 blocks automated testing tools to prevent abuse.
  • Mimic real browsers in JMeter and Postman.
  • Confirm blocks with curl before tweaking settings.
  • Ramp up load slowly.
  • Whitelist IPs if needed but understand limitations.

    • With the right tweaks you can minimize blocks and resume API testing through Cloudflare protections. Just take care to throttle traffic and not trigger the abuse alarms!

    Browse by language:

    The easiest way to do Web Scraping

    Get HTML from any page with a simple API call. We handle proxy rotation, browser identities, automatic retries, CAPTCHAs, JavaScript rendering, etc automatically for you


    Try ProxiesAPI for free

    curl "http://api.proxiesapi.com/?key=API_KEY&url=https://example.com"

    <!doctype html>
    <html>
    <head>
        <title>Example Domain</title>
        <meta charset="utf-8" />
        <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
    ...


    Tired of getting blocked while scraping the web?

    Get access to 1,000 free API credits, no credit card required!

    Try for free


    X

    Don't leave just yet!

    Enter your email below to claim your free API key: