Question

How to fix Cloudflare 520 unknown error

Cloudflare 520 means Cloudflare reached your origin, but the origin returned an unexpected or invalid response.

What usually causes 520

  1. Malformed or empty response headers from origin.
  2. Oversized header/cookie payload (common with chained proxies).
  3. Origin process resets connection before full response is sent.
  4. WAF/plugin behavior that blocks Cloudflare edge in nonstandard ways.

Command flow that surfaces the issue quickly

# 1) Compare direct origin response with proxied response
curl -sv --resolve yourdomain.com:443:ORIGIN_IP https://yourdomain.com/ -o /dev/null
curl -sv https://yourdomain.com/ -o /dev/null

# 2) Inspect response headers size and structure
curl -sI --resolve yourdomain.com:443:ORIGIN_IP https://yourdomain.com/

# 3) Check service and recent errors
sudo systemctl status caddy --no-pager -n 30
sudo systemctl status nginx --no-pager -n 30
sudo journalctl -u caddy --since '30 minutes ago' --no-pager | tail -n 100
sudo tail -n 120 /var/log/nginx/error.log

Recovery order

Fix one concrete fault first: invalid headers, cookie bloat, or abrupt upstream reset. Then retest through Cloudflare before changing unrelated edge rules.

If you are still unsure whether this is 520 or timeout behavior, use Cloudflare 520 vs 524 quick split first.

Field patterns from real incidents

After-fix validation checklist

  1. Homepage and key question pages return stable 200/301/304 through Cloudflare.
  2. No repeated 520 on /robots.txt and /sitemap.xml.
  3. Error logs stop showing abrupt upstream reset/invalid header warnings.

If the error is clearly a timeout, continue with Cloudflare 524 timeout occurred.

If the issue is connection refusal instead of malformed response, continue with Cloudflare 521 web server down.

Generate a full Cloudflare diagnostics checklist