Websockets

WebSocket traffic is a separate and distinct protocol from HTTP and will not flow through the WAF. 

Depending upon the nature of your application and the types of attacks you're trying to protect against you can choose one of two strategies for handling Web Sockets in a WAF environment.

1. WebSocket Specific Domains

You can add an additional domain specifically to handle WebSocket connections with your Heroku application. 

This has the benefit of being quick to get going but offers no additional security options. 

2. Client HTTP Fallback

Most WebSocket Clients can fall back to connecting over HTTPS instead of WS. This is useful if you'd like to apply rules like country blocking, bot blocking, or other WAF security measures. 

Typically this is transparent to the end-user experience, but we would highly recommend performance testing.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.