Status Services → Expedited WAF → Expedited SSL → IP Investigator → Real Email Resources → Knowledge Base → AWS In Plain English → Blog → Heroku Security Resources Use Cases → DDoS Protection → Bot & Malicious Traffic Blocking → Fraud Detection & Prevention → Credential Stuffing Protection → Compliance → OWASP Top 10 Compliance → AI Scraping Prevention → Geographic Request Blocking → Virtual Patching About Contact

How to Block IP Addresses on Heroku

Why IP Blocking Matters

Many poorly written, misbehaving, or malicious bots can be readily identified as generating traffic from a single IP address. Blocking an IP is typically the first step to take in rejecting unwanted traffic hitting your site.

IP blocking is essential for protecting your Heroku application from:

  • Brute force attacks attempting to guess passwords or API keys
  • Scraping bots extracting your content or pricing data
  • Vulnerability scanners probing for security weaknesses
  • Known malicious hosts identified by threat intelligence feeds
  • Abusive users who have violated your terms of service

Without IP blocking at the edge, these requests reach your Heroku dynos, consuming resources and potentially compromising your application.

Prerequisites

What you need to get started:

  1. Expedited WAF add-on installed on your Heroku application

How to Block IP Addresses on Heroku

Step 1: Open the IP Blocking Dashboard

Navigate to your Expedited WAF dashboard and select the Block/Allow IPs page from the sidebar menu.

Step 2: Add IPs to Block

Enter each IP address or CIDR-notated IP range that you want to block. Expedited WAF supports:

  • Single IP addresses: 192.168.1.100
  • CIDR ranges: 192.168.1.0/24 (blocks 256 addresses)
  • IPv6 addresses: 2001:db8::1

Step 3: Save and Verify

After adding your rules, blocked requests will immediately start being rejected at the edge. All requests from blocked IPs receive a 403 Forbidden response and never reach your Heroku dynos.

Common Use Cases

Blocking After an Attack

When you identify malicious traffic in your logs, add the source IPs to your block list immediately. This stops ongoing attacks while you investigate.

Geographic Blocking by IP Range

If you identify entire IP ranges associated with abuse (often from specific hosting providers), block the entire range using CIDR notation rather than individual IPs.

Temporary Blocks During Incidents

During active attacks, quickly block suspicious IPs. You can always remove them later once you’ve analyzed the traffic patterns.

Blocking Known Bad Actors

Threat intelligence feeds publish lists of known malicious IPs. Import these ranges to proactively block attackers before they target you.

Using IP Allowlists

In addition to blocking, you can allowlist specific IPs to ensure they’re never blocked:

  • Your office IP addresses
  • CI/CD pipeline IPs for deployment
  • Third-party services that integrate with your API
  • Monitoring services that check your uptime

Allowlisted IPs bypass all WAF rules, so use this feature sparingly.

Troubleshooting

Issue: Legitimate users are being blocked

  • Check if their IP is in a blocked CIDR range
  • Verify you haven’t blocked a shared IP (NAT, corporate proxy)
  • Review the block reason in the WAF logs

Issue: Blocked IPs still reaching my application

  • Verify the WAF is correctly proxying your traffic
  • Check that your application isn’t accessible via the direct Heroku domain
  • Confirm the block rule is active (not just saved as draft)

Issue: Can’t block all IPs in an attack

  • Consider geographic blocking for regions you don’t serve
  • Enable rate limiting to slow down distributed attacks
  • Use CAPTCHA challenges for suspicious traffic patterns

IP Resources

Learn more about IP addressing:

Get Started

Install Expedited WAF Book a Security Review