Expedited WAF

Web Application Firewalls tuned for Heroku. Starting at $75/mo.

What's a WAF (Web Application Firewall)

A WAF automatically examines each web request to your Heroku application looking for potential attacks, blocking bad bots, stopping DDoS attacks and increasing the overall security of your application.

Additionally, custom rules blocking IPs, user agents, countries and more can be applied to respond to threats.

WAF Diagram

Web and API requests to your application are routed through the WAF, letting us block attacks before they ever touch your Heroku dynos.

Bots Are Constantly Probing

Malicious bots constantly look for vulnerabilities on every public website, from small startups to giant enterprises.

Internet bots are notoriously misbehaved. SEO bots will crawl your site for competitors, DDOS probes look for sites to blackmail and sites are continuously probed for known vulnerabilities.

Expedited WAF can automatically stop most bots from accessing your site.

Any Language and Framework

Our WAF works at the network level (before requests hit your Heroku Dynos), This lets it seamlessly protect any language or framework in your stack.

Stop Attacks in Real Time

Our Intrusion Detection System automatically stops web requests that match patterns of Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), SQL Injection, and other attacks.

What's Better Than Patching?

Patching (by definition) happens after a vulnerability in your app or framework has been identified.

Expedited WAF provides another layer of protection, stopping attacks by matching their pattern. Attacks get blocked known vulnerability or not.

Block IPs

Stop anonymous IPs, web-scrapers, abusive bots and spiders run amuck before they even reach your app.

Deploy Countermeasures In A Few Clicks

Use our security controls to set specific custom traffic rules, without having to write code, run tests and wait for QA/Staging.

You can block traffic from countries you don’t service, suspicious referral sources, an IP address that’s hammering your site or unwanted user agents.

Tech Trusted By 20,000 Websites

Expedited WAF is built with market-leading signature detection and machine learning components used to protect over 20,000 websites.

No Downtime Rollover

Setup requires 5-10 minutes of work from your end.

Our automated onboarding will then handle the WAF configuration and setup for you based on your current Heroku configuration.

Once complete, you update your DNS to seamlessly transition web requests through the WAF with no downtime.

39 Point Heroku Security Checklist

Not sure where to start in securing your Heroku app?

Download our 39 point Heroku Application Security Checklist

GDPR, CCPA, and PCI Compliance

Expedited WAF can help you meet or exceed compliance requirements by providing auditable security controls, and reports of where and how attacks originate.

Drop Load Times With Our CDN

Serve your app and assets from our servers located around the world. Drop load times with advanced brotli compression (falling back to gzip) and connect clients to your site faster with HTTP/2 (“SPDY”).

Works with Cloudflare and Fastly

Already have a CDN? Create a custom solution by combining Cloudflare, Fastly or another CDN with the security features of Expedited WAF.

Presets let you bring your own CDN and also leverage the security controls and intrusion detection features of Expedited WAF.

Still Have Questions? Talk to an Expert.

While we try to make it easy, web applications are complicated.

Book a time to talk with a Security Engineer, get your questions answered, build a go-live plan or strategize on improving your security posture.

Book A Time

Region Availability

The available application locations for this add-on are shown below, and depend on whether the application is deployed to a Common Runtime region or Private Space. Learn More

  • Common Runtime
  • Private Spaces
Region Available
United States Available
Europe Available
Region Available Installable in Space
Virginia Available
Oregon Available
Frankfurt Available
Tokyo Available
Sydney Available
Dublin Available

Plans & Pricing

    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures multiple subdomains: *.yourdomain.com
    • CORE WAF FEATURES
    • Number of WAF Rules 5
    • Requests per Month 1,000,000
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • Failover to Alternate Cloud Provider
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures multiple subdomains: *.yourdomain.com
    • CORE WAF FEATURES
    • Number of WAF Rules 15
    • Requests per Month 5,000,000
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • Failover to Alternate Cloud Provider
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures multiple subdomains: *.yourdomain.com
    • CORE WAF FEATURES
    • Number of WAF Rules 50
    • Requests per Month 25,000,000
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • Failover to Alternate Cloud Provider
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures multiple subdomains: *.yourdomain.com
    • CORE WAF FEATURES
    • Number of WAF Rules 150
    • Requests per Month 500,000,000
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • Failover to Alternate Cloud Provider
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
    • ALL PLANS INCLUDE SSL
    • Automatic SSL Installation and Renewal
    • Secures multiple subdomains: *.yourdomain.com
    • CORE WAF FEATURES
    • Number of WAF Rules Unlimited
    • Requests per Month Unlimited
    • Block IP Addresses
    • Block Countries (GeoBlocking)
    • DDOS Flood Protection
    • Automatic Blocking of malformed HTTP and network requests
    • TLS 1.3 Enforced Connections for Compliance Requirements
    • Load Balance Between Private Spaces
    • Failover to Alternate Cloud Provider
    • SITE SPEED UP
    • Drop page load times with HTTP2 connections
    • Service requests through servers distributed worldwide
    • Serve content faster with GZip and Brotli compression
    • BLOCK BOTS
    • Block requests from Anonymous Proxies
    • Block scrapers, misbehaving bots and malicious clients before they even reach your app
    • Block Requests by User Agent, Country, Referrer or Cookie
    • BLOCK ATTACKS
    • OWASP Top 10 vulnerability protection
    • Automatically detect and block XSS, CSRF and SQL Injection attacks
    • Automatic blocking of attacks on common web frameworks
    • PROTECT PAGES
    • Password Protect specific pages or your whole site.
    • Force Captchas on pages to fence out bots
    • Restrict URL Paths to designated IP addresses
Install Expedited WAF
heroku addons:create expeditedwaf

To provision, copy the snippet into your CLI or use the install button above.

Expedited WAF Documentation