Removing the WAF

Overview

If you need to remove the Expedited WAF from your Heroku application, follow the steps below. The process involves removing the addon from Heroku and reverting your DNS records so that traffic goes directly to your Heroku app instead of routing through the WAF.

Before You Remove

Before removing the WAF, verify that your Heroku app is accessible directly:

1. Visit your app at its .herokuapp.com URL to confirm it loads correctly
2. Ensure you have your Heroku DNS target ready (you will need it to update DNS)
3. Note that all WAF settings, IP allowlists, blocked IPs, path rules, and configuration will be permanently lost — there is no way to recover them after removal

Step 1: Remove the Addon from Heroku

1. Go to your Heroku dashboard at dashboard.heroku.com
2. Select your application
3. Click the Resources tab
4. Find ExpeditedWAF in your add-ons list
5. Click the pencil/edit icon next to it
6. Click Remove and confirm the removal

Alternatively, you can remove it via the CLI:

heroku addons:destroy expeditedwaf

Step 2: Revert Your DNS Records

After removing the addon, your DNS records are still pointing to the WAF proxy. You need to update them to point directly to Heroku.

For CNAME Records

Update your CNAME record from the WAF proxy address to your Heroku DNS target:

• Type: CNAME
• Name: www (or your subdomain)
• Value: Your Heroku DNS target (e.g., your-app.herokuapp.com or the DNS target shown in your Heroku app’s Settings > Domains section)

For A Records (Apex/Root Domain)

If you were using an A record for your root domain, update it to point to Heroku’s IP addresses or use your DNS provider’s CNAME flattening/ALIAS feature to point to your Heroku DNS target.

Check your Heroku app’s Settings > Domains section for the correct DNS target value.

Step 3: Verify

After updating DNS (allow up to 24 hours for propagation, though it is usually much faster):

1. Visit your domain to confirm your site loads directly from Heroku
2. Check that HTTPS is working (you may need to configure SSL separately through Heroku if you were relying on the WAF’s certificate)

What Happens After Removal

• WAF settings are lost — All IP blocks, country blocks, path rules, rate limiting settings, and other configuration are permanently deleted
• SSL certificate — The WAF-issued SSL certificate will no longer be active. You will need to configure SSL through Heroku (Heroku provides free automated SSL via ACM for paid dynos)
• Security protections removed — DDoS protection, bot blocking, intrusion detection, and other WAF features will no longer be active
• Your Heroku app is unaffected — The WAF is a proxy layer in front of your app. Removing it does not modify your application code or data

Re-adding the WAF

If you decide to add the WAF back later, you can re-add the ExpeditedWAF addon from the Heroku Marketplace. You will need to go through the setup process again, including DNS configuration and certificate issuance.

Need Help?

If you need assistance with the removal process or have questions:

• Contact us at support@expeditedsecurity.com
• Book a Call at https://app.harmonizely.com/expedited/30-min