Expedited WAF

Web Application Firewalls tuned for Heroku. Starting at $75/mo.

Continuous Protection for your App

Our Web Application Firewall (WAF) sits between your Heroku application and the Internet. It’s both a Content Delivery Network (speeding up requests) and a Web Application Firewall (blocking attacks and bad clients).

WAF Diagram

Client requests to your application are routed to the closest globally located edge server, letting us block attacks before they ever touch your dynos.

Rapid Installation and Configuration

We’re the fastest way to go from start to secure. Setup can be completed in as little as 20 minutes.

Any Language and Framework

Our WAF works at the network level (before requests hit your Heroku Dynos), This lets it seamlessly protect any language or framework in your stack.

Fast Setup/Switchover

Are users actively using your app? Our onboarding will slowly roll them over to the Expedited Security WAF as their DNS updates.

This lets you confidently cut-over with the absolute least amount of disruption.

Stop Attacks in Real Time

By automatically detecting the patterns of Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), SQL Injection and thousands of other specific attacks against web frameworks and Content Management Systems that we’ve formed an Intrusion Detection System that can proactively block attacks.

Protect Pages

Set passwords blocking access to specific pages on your site. Restrict access to only specific IP addresses. Stop bots from reading pages with Captcha challenges.

Exploit Prevention

Patching, by definition, is a security fix that can only help once a problem is identified, researched, tested and deployed. In the window, while that’s happening what’s protecting your application?

Similarly, vulnerability scanning is great, but it doesn’t actually stop attacks happening against your application.

Block IPs

Stop anonymous IPs, web-scrapers, abusive bots and spiders run amuck before they even reach your app.

Site Speed Up (CDN)

Serve your static pages and assets from servers located around the world. Drop load times with advanced brotli compression (falling back to gzip). Connect clients to your site faster with HTTP/2 (“SPDY”).

All without writing a line of code.

Try Expedited WAF. Get a Free Tee

Our American Apparel printed Tees won’t directly stop attacks on your site, but they do help promote our mission to make every site Strong & Secure. More Info

Block Bots

Craft specific rules stopping bots by User Agent, Country, custom cookie’s or referrers.

Automatically shut down abusive bots crawling your site for vulnerabilities.

Defense In Depth

Expedited Security is a team player. We consider Defense in Depth (layering multiple different security services) to be a key component of securing modern web apps. Which is why we work great with your existing vulnerability scanning service, Rack::Attack style rate limiter or custom security controls.

No Code Setup

By operating at the network request level, Expedited WAF is able to better secure your application without the need to write, test and deploy new code.

Region Availability

The available application locations for this add-on are shown below, and depend on whether the application is deployed to a Common Runtime region or Private Space. Learn More

  • Common Runtime
  • Private Spaces
Region Available
United States Available
Europe Available
Region Available Installable in Space
Virginia Available
Oregon Available
Frankfurt Available
Tokyo Available
Sydney Available
Dublin Available

Plans & Pricing

    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures multiple subdomains: *.yourdomain.com
    • CORE WAF FEATURES
    • Number of WAF Rules 5
    • Requests per Month 1,000,000
    • Block IP Addresses
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures multiple subdomains: *.yourdomain.com
    • CORE WAF FEATURES
    • Number of WAF Rules 15
    • Requests per Month 5,000,000
    • Block IP Addresses
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures multiple subdomains: *.yourdomain.com
    • CORE WAF FEATURES
    • Number of WAF Rules 50
    • Requests per Month 25,000,000
    • Block IP Addresses
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures multiple subdomains: *.yourdomain.com
    • CORE WAF FEATURES
    • Number of WAF Rules Unlimited
    • Requests per Month Unlimited
    • Block IP Addresses
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
Install Expedited WAF
heroku addons:create expeditedwaf

To provision, copy the snippet into your CLI or use the install button above.

Expedited WAF Documentation