Common WAF Use Cases

Overview

The Expedited WAF (Web Application Firewall) protects your Heroku application by filtering and blocking malicious HTTP traffic at the edge — before it reaches your server. This document explains what the WAF protects against, what it does not cover, and where its boundaries are.

What the WAF Protects

The WAF sits between your visitors and your Heroku application. All HTTP/HTTPS traffic to your domain passes through the WAF, which inspects each request and blocks anything that matches known attack patterns or your custom rules.

Attack Prevention

• SQL injection — Blocks attempts to manipulate your database through malicious input
• Cross-site scripting (XSS) — Blocks scripts injected into requests that would execute in visitors’ browsers
• Remote code execution — Blocks attempts to run commands on your server through crafted requests
• Directory traversal — Blocks attempts to access files outside your application’s web root
• Brute force attacks — Detects and blocks automated login attempts and credential stuffing

See How WAF Blocking Works for the full list of protections.

Traffic Control

• IP blocking/allowlisting — Block known bad actors or allowlist trusted IPs (office networks, API clients, monitoring services)
• Country blocking — Block or restrict traffic from specific countries
• User agent blocking — Block known bots, scrapers, and automated tools
• Rate limiting — Prevent abuse by limiting request frequency per IP
• Path rules — Block or allowlist specific URL paths

DDoS Protection

• Network-layer (L3/L4) — Absorbs volumetric UDP/TCP flood attacks at the edge
• Application-layer (L7) — Detects and blocks HTTP flood attacks that try to exhaust your server resources

SSL/TLS Certificate Management

• Automatic SSL certificate provisioning and renewal for your domain
• TLS termination at the edge with configurable cipher suites and protocol versions
• HTTPS enforcement (redirect HTTP to HTTPS)

Performance

• Edge caching for static assets (images, CSS, JavaScript)
• Gzip/Brotli compression
• Global CDN with multiple points of presence

What the WAF Does Not Cover

The WAF protects inbound HTTP/HTTPS traffic to your domain. It does not cover:

Email

The WAF does not filter, scan, or protect email in any way. It does not block spam, phishing emails, or email-based attacks. If you need email security, you need a dedicated email security service.

Outbound Connections

The WAF only inspects incoming requests to your domain. It does not monitor, filter, or affect outbound connections that your application makes to external services (APIs, databases, third-party integrations). Traffic your app sends out goes directly from Heroku — it does not pass through the WAF.

Direct Heroku App URL Access

The WAF protects your custom domain (e.g., www.example.com). Traffic to your Heroku app’s default URL (your-app.herokuapp.com) does not pass through the WAF. See Heroku App URL and Custom Domains for how to secure this.

Application-Level Vulnerabilities

The WAF blocks common attack patterns at the HTTP layer, but it cannot protect against vulnerabilities in your application’s business logic, authentication implementation, or data handling. Application-level security (input validation, authentication, authorization) is still your responsibility.

DNS Attacks

The WAF does not provide DNS hosting or DNS-layer protection (e.g., DNS amplification attacks). Your DNS provider is responsible for DNS availability.

Need Help?

If you have questions about what the WAF can or cannot protect:

• Contact us at support@expeditedsecurity.com
• Book a Call at https://app.harmonizely.com/expedited/30-min