Docs

How WAF Blocking Works

Overview

The Expedited WAF protects your application through multiple layers of security. Each layer addresses a different type of threat, from automated bot attacks to sophisticated intrusion attempts to large-scale DDoS floods. All layers work together at the edge, blocking malicious traffic before it reaches your Heroku application.

Intrusion Detection and Prevention

These protections are always active and cannot be disabled. They detect and block common web application attacks in real time.

Cross-Site Scripting (XSS) Protection

Blocks scripts injected into web requests that would otherwise be executed by end users. XSS attacks attempt to run malicious JavaScript in visitors’ browsers to steal cookies, session tokens, or other sensitive data.

SQL Injection Protection

Blocks attempts to manipulate database queries by injecting SQL commands through form inputs, URL parameters, or other request data. SQL injection attacks can expose, modify, or delete your database contents.

Content Attack Protection

Enforces HTTP response headers that instruct browsers to apply security rules to requests, preventing MIME-type attacks and other content-based exploits.

Network Attack Protection

Leverages aggregated attack data across thousands of sites to identify and block coordinated attacks. Correlations drawn from this network-wide visibility stop threats that would be invisible to individual sites.

Virtual Patching

Provides zero-day and known vulnerability protection. Security rules are applied at the edge to block exploit attempts before they reach your application, even before software patches are available for the underlying vulnerability.

Brute Force Protection

Detects and blocks automated login attempts, credential stuffing, and password brute forcing attacks targeting your application’s authentication endpoints.

Custom Traffic Controls

These controls let you define rules for which traffic is allowed or blocked. Some are always active with configurable options; others are opt-in.

IP Blocking

Block specific IP addresses from accessing your site. Useful for blocking known attackers or abusive traffic sources. See Blocking IP Addresses.

Country Blocking

Block requests from specific countries entirely, or restrict them to read-only access (blocking PUT/POST while allowing GET). See Blocking Requests Based on Country.

User Agent Blocking

Block requests from specific user agents, typically used to stop known bots, scrapers, or automated tools. See Blocking User Agents.

Referrer Blocking

Block traffic from specific referring sites to stop trolls, scam traffic, and phishing attacks that send illegitimate traffic to your site. See Blocking Referring Sites.

HTTP Verb Filtering

Controls which HTTP methods are allowed. GET, POST, and HEAD are always permitted. Other methods (PUT, DELETE, PATCH, OPTIONS, etc.) can be allowed or blocked individually. Blocking unused HTTP methods reduces your attack surface.

Anonymous Proxy Blocking

Blocks requests originating from known anonymous proxies. These are typically compromised consumer computers used as launching points for attacks. See Blocking Anonymous Proxies.

Cookied Visitors Blocking

Blocks visitors who carry a specific cookie, allowing you to tag and block individual abusive visitors. See Blocking Clients via Cookies.

DDoS Protection

DDoS (Distributed Denial of Service) protection operates at the edge network and is always active.

DDoS Probe Blocking

DDoS extortionists probe sites for vulnerability before launching attacks. By blocking these reconnaissance probes, the WAF significantly reduces the chance your site will be targeted for a flood attack.

UDP/TCP DDoS Flood Protection

Protects against low-level network attacks that attempt to overwhelm your site with terabytes of spoofed packets. These attacks are absorbed at the edge network before they can affect your application.

HTTP DDoS Flood Protection

Protects against application-layer (Layer 7) attacks. These attacks use legitimate-looking HTTP requests at high volume to exhaust your server resources. Each attack request is harder to distinguish from real traffic, but the WAF uses behavioral analysis to identify and block them. See DDoS HTTP Flood Protection for details.

Adding Exceptions

If the WAF is blocking legitimate traffic, you have two ways to create exceptions:

IP Allowlisting

Add trusted IP addresses to your allowlist so they bypass all WAF security checks. This is useful for:

  • Your own team’s office IPs
  • Monitoring services (Pingdom, UptimeRobot, etc.)
  • API clients and integration partners
  • CI/CD pipeline IPs

See Blocking IP Addresses for instructions on managing your IP allowlist.

Path Allowlisting

Exempt specific URL paths from WAF security checks. Requests to allowlisted paths bypass all WAF rules. This is useful for:

  • Webhook endpoints (Stripe, GitHub, etc.)
  • Health check endpoints
  • API endpoints used by automated systems

See Allowlisting URL Paths for instructions on configuring path rules.

Need Help?

If you need help understanding why traffic is being blocked or configuring exceptions: