Docs

Heroku App URL and Custom Domains

Overview

Every Heroku app has a default .herokuapp.com URL (e.g., your-app.herokuapp.com). This URL connects directly to your Heroku application, completely bypassing the WAF. This is a security concern because attackers who discover this URL can access your application without any of the WAF’s protections.

Why This Matters

When the WAF is properly configured, all traffic flows through it:

Visitor → WAF (security checks) → Your Heroku App

But the .herokuapp.com URL bypasses this entirely:

Attacker → Your Heroku App (no WAF protection)

This means an attacker using the .herokuapp.com URL can:

  • Bypass DDoS protection and flood your app directly
  • Bypass bot detection and scrape your content
  • Bypass IP blocks and country blocks you have configured
  • Bypass rate limiting and brute force protection
  • Attempt SQL injection, XSS, and other attacks without WAF filtering

How to Restrict Access

If your app runs in a Heroku Private Space, you can configure a trusted IP range to only accept traffic from the WAF’s IP addresses. This completely prevents direct access via the .herokuapp.com URL from unauthorized sources.

See Heroku Private Space Trusted IP Range Configuration for setup instructions.

Application-Level Restrictions

If you are not on a Heroku Private Space, you can restrict access at the application level:

Check the Host header — Your application can reject requests that arrive via the .herokuapp.com hostname by inspecting the Host header and only accepting requests for your custom domain.

Check the X-Forwarded-For header — Requests coming through the WAF include specific headers. Your application can verify that requests originated from the WAF by checking for these headers. See HTTP X-Forwarded-For Header Forwarding for details on how the WAF sets forwarding headers.

Finding Your Herokuapp URL

Your .herokuapp.com URL is visible in your Heroku dashboard under Settings > Domains. While you cannot remove this URL, you can mitigate the risk using the approaches above.

Need Help?

If you need help restricting direct access to your Heroku app: