The Next Generation Platform is Coming - Get Ready Now!

Expedited WAF

Web Application Firewalls tuned for Heroku. Starting at ~$0.132/hour.

What's a WAF (Web Application Firewall)

A WAF automatically examines each web request to your Heroku application looking for potential attacks, blocking bad bots, stopping DDoS attacks and increasing the overall security of your application.

Additionally, custom rules blocking IPs, user agents, countries and more can be applied to respond to threats.

WAF Diagram

Web and API requests to your application are routed through the WAF, letting us block attacks before they ever touch your Heroku dynos.

Bots Are Constantly Probing

Malicious bots constantly look for vulnerabilities on every public website, from small startups to giant enterprises.

Internet bots are notoriously misbehaved. SEO bots will crawl your site for competitors, DDOS probes look for sites to blackmail and sites are continuously probed for known vulnerabilities.

Expedited WAF can automatically stop most bots from accessing your site.

Stop Attacks in Real Time

Our Intrusion Detection System automatically stops web requests that match patterns of Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), SQL Injection, and other attacks.

Block IPs

Stop anonymous IPs, web-scrapers, abusive bots and spiders run amuck before they even reach your app.

Deploy Countermeasures In A Few Clicks

Use our security controls to set specific custom traffic rules, without having to write code, run tests and wait for QA/Staging.

You can block traffic from countries you don’t service, suspicious referral sources, an IP address that’s hammering your site or unwanted user agents.

Tech Trusted By 20,000 Websites

Expedited WAF is built with market-leading signature detection and machine learning components used to protect over 20,000 websites.

Pass Your Pentests and Security Audits

We’ve helped hundreds of companies pass penetration tests and security audits.

Expedited WAF’s features provide the security controls that auditors require you to have in place and that would take months to implement on your own.

Controls like the ability to control ingress network traffic, continually updated systems to identify and stop attacks, auditable change logs, VPN and client reputation checking, and bot blocking.

No Downtime Rollover

Setup requires 5-10 minutes of work from your end.

Our automated onboarding will then handle the WAF configuration and setup for you based on your current Heroku configuration.

Once complete, you update your DNS to seamlessly transition web requests through the WAF with no downtime.

GDPR, CCPA, and PCI Compliance

Expedited WAF can help you meet or exceed compliance requirements by providing auditable security controls, and reports of where and how attacks originate.

Drop Load Times With Our CDN

Serve your app and assets from our servers located around the world. Connect clients to your site faster with HTTP/2 (“SPDY”) and optional gzip and brotli compression.

Not Sure Where To Start?

While we try to make it easy, web applications are complicated.

Book a time to talk with a Security Engineer, get your questions answered, build a go-live plan or strategize on improving your security posture.

Book A Time

Region Availability

The available application locations for this add-on are shown below, and depend on whether the application is deployed to a Common Runtime region or Private Space. Learn More

  • Common Runtime
  • Private Spaces
Region Available
United States Available
Europe Available
Region Available Installable in Space
Dublin Available
Frankfurt Available
London Available
Montreal Available
Mumbai Available
Oregon Available
Singapore Available
Sydney Available
Tokyo Available
Virginia Available

Plans & Pricing

    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures wildcard subdomains: *.yourdomain.com
    • Private Space Support
    • CORE WAF FEATURES
    • Number of WAF Rules 5
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • SECURITY SERVICES
    • Incident Response
    • Quarterly Security Review
    • Monthly Security Review
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures wildcard subdomains: *.yourdomain.com
    • Private Space Support
    • CORE WAF FEATURES
    • Number of WAF Rules 15
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • SECURITY SERVICES
    • Incident Response
    • Quarterly Security Review
    • Monthly Security Review
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures wildcard subdomains: *.yourdomain.com
    • Private Space Support
    • CORE WAF FEATURES
    • Number of WAF Rules 50
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • SECURITY SERVICES
    • Incident Response
    • Quarterly Security Review
    • Monthly Security Review
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures wildcard subdomains: *.yourdomain.com
    • Private Space Support
    • CORE WAF FEATURES
    • Number of WAF Rules 150
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • SECURITY SERVICES
    • Incident Response
    • Quarterly Security Review
    • Monthly Security Review
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures wildcard subdomains: *.yourdomain.com
    • Private Space Support
    • CORE WAF FEATURES
    • Number of WAF Rules Unlimited
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • SECURITY SERVICES
    • Incident Response
    • Quarterly Security Review
    • Monthly Security Review
Install Expedited WAF
heroku addons:create expeditedwaf

To provision, copy the snippet into your CLI or use the install button above.

Expedited WAF Documentation