How to Block the Latest OWASP Top 10 Vulnerabilities on Heroku

What’s the OWASP Top Ten?

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to improving the overall application security of the world’s computer systems.

They periodically survey their membership, do research, and develop a list of the Top 10 most common security vulnerabilities affecting web applications. The most recent update was released in 2025.

OWASP and Compliance Frameworks

The OWASP Top 10 has become a cornerstone reference for major compliance frameworks and security standards. Understanding and addressing these vulnerabilities isn’t just good security practice—it’s often a requirement for certification.

SOC 2

SOC 2 (Service Organization Control 2) audits evaluate how organizations handle customer data based on five trust principles: security, availability, processing integrity, confidentiality, and privacy. The security principle specifically requires organizations to protect against unauthorized access, and auditors frequently reference the OWASP Top 10 as the baseline for web application security controls. Demonstrating protection against OWASP vulnerabilities helps satisfy SOC 2’s Common Criteria related to system boundaries and threat mitigation.

ISO 27001

ISO 27001 is the international standard for information security management systems (ISMS). Annex A.14 specifically addresses secure development practices and requires organizations to establish secure coding guidelines—see our framework security checklists below for practical implementation guidance. The OWASP Top 10 is widely recognized as the industry standard checklist for these guidelines. Many ISO 27001 auditors expect organizations to demonstrate awareness of and protection against these vulnerabilities as part of their security controls.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) explicitly references OWASP in Requirement 6, which mandates that organizations develop secure applications. PCI DSS 4.0 requires protection against common coding vulnerabilities, directly citing the OWASP Top 10 as the authoritative source for identifying these threats. Any organization handling credit card data must address these vulnerabilities to achieve and maintain PCI compliance.

HIPAA

While HIPAA doesn’t explicitly name OWASP, the Security Rule requires covered entities to implement technical safeguards protecting electronic health information. The OWASP Top 10 provides a practical framework for meeting these requirements, particularly around access controls, audit controls, and transmission security. Healthcare organizations increasingly use OWASP compliance as evidence of due diligence in protecting patient data.

FedRAMP

Federal Risk and Authorization Management Program (FedRAMP) requires cloud service providers working with U.S. government agencies to meet rigorous security standards. FedRAMP’s application security requirements align closely with OWASP guidelines, and authorization packages typically must demonstrate protection against Top 10 vulnerabilities through security assessments and penetration testing.

Categories of Vulnerabilities, Not Implementations

OWASP’s list specifically doesn’t list specific flaws in web frameworks but instead focuses on the categories of attacks that are more likely to hit your application. This can make it difficult to sort out how you would use Expedited WAF to lower your overall application risk.

To help overcome this, below, we’ve mapped the OWASP Top 10:2025 vulnerabilities to the Expedited WAF features that protect against them.

A01:2025 - Broken Access Control Users should only have access to areas they need access to; for example a normal user shouldn't be able to access another's data without permission or sensitive areas such as /admin pages. This remains the #1 most critical web application security risk.	How Expedited WAF Helps Use Expedited WAF to implement a least privilege security model adding additional restrictions to sensitive areas like /admin, /api, or user-specific routes by IP address, geolocation, or user agent.
A02:2025 - Security Misconfiguration As the complexity of modern web stacks has exploded there is a parallel rise in security breaches caused by misconfigured or poorly configured systems. Moved up from #5 to #2, reflecting its growing impact.	How Expedited WAF Helps To the greatest extent possible Expedited WAF has been made to work "out of the box" for you so that there is little opportunity to misconfigure access. By enacting site wide, continuously updated security controls on inbound web requests to your application many attacks are blocked that would otherwise filter through.
A03:2025 - Software Supply Chain Failures Modern applications depend on hundreds of libraries, packages, and dependencies. Compromises in the software supply chain - from malicious packages to vulnerable dependencies - can affect your entire application ecosystem.	How Expedited WAF Helps Expedited WAF provides "virtual patching" - blocking exploitation attempts of known vulnerabilities before they reach your application, giving you breathing room to update dependencies safely. Our continuously updated rule sets block attacks targeting newly discovered vulnerabilities in popular frameworks and libraries.
A04:2025 - Cryptographic Failures Failures related to cryptography (or lack thereof) which often lead to exposure of sensitive data. This includes weak encryption, missing encryption, or improper handling of cryptographic keys.	How Expedited WAF Helps Expedited WAF protects your data in transit by enforcing the strictest TLS requirements available. We set HTTP security headers in responses to prevent TLS stripping and other downgrade attacks, ensuring your encrypted connections stay encrypted.
A05:2025 - Injection Attacks performed by sending malformed or corrupted data into your application to execute later. Examples: SQL Injection, Command Injection, LDAP Injection. XSS and XXE are now included in this category.	How Expedited WAF Helps Automatic blocking of SQL Injection, XSS, XXE, Command Injection and CSRF attacks. Expedited WAF analyzes incoming requests and blocks injection attempts before they reach your application code.
A06:2025 - Insecure Design Risks related to design and architectural flaws. Different from implementation defects, these are fundamental issues in how the application was conceived - missing security controls, improper threat modeling, or insecure design patterns.	How Expedited WAF Helps While secure design requires careful planning during development, Expedited WAF provides a defense-in-depth layer that can compensate for design weaknesses by enforcing security policies at the edge - rate limiting, geo-blocking, and attack pattern detection help protect even imperfectly designed applications.
A07:2025 - Authentication Failures Authentication endpoints of web applications are commonly attacked. This includes credential stuffing, brute force attacks, weak password policies, and session management issues.	How Expedited WAF Helps Use Expedited WAF to add additional layers of security to sensitive endpoints like /admin or /login by setting IP, User Agent or Country blocks on requests. Implement rate limiting to stop brute force attacks and credential stuffing attempts.
A08:2025 - Software and Data Integrity Failures Failures related to code and infrastructure that don't protect against integrity violations. This includes insecure deserialization, untrusted updates, and CI/CD pipeline compromises.	How Expedited WAF Helps By pre-filtering all web requests, Expedited WAF is able to block requests with anomalous characters and attack patterns before they reach your application for processing, preventing exploitation of deserialization vulnerabilities.
A09:2025 - Security Logging and Monitoring Failures Insufficient logging, detection, monitoring, and active response. Without proper logging and monitoring, breaches cannot be detected. By default Heroku logs are ephemeral, making this even more critical.	How Expedited WAF Helps Expedited WAF logs every attack blocked, keeping track of not just what time and requests but detailed context for you to better make decisions on, data like attack category, country of origin, or if it's part of a larger pattern of attacks.
A10:2025 - Mishandling of Exceptional Conditions New to 2025: Improper handling of errors and exceptions can reveal sensitive information, cause unexpected behavior, or create security vulnerabilities. This includes verbose error messages, unhandled exceptions, and improper error state management.	How Expedited WAF Helps Expedited WAF helps prevent attackers from triggering exceptional conditions by blocking malformed requests, injection attempts, and attack patterns before they reach your application. This reduces the attack surface for exception-based vulnerabilities.

Historical Vulnerabilities Still Protected

The following vulnerabilities were separate categories in earlier OWASP Top 10 versions but have been consolidated into broader categories in 2025. Expedited WAF continues to protect against these attack vectors:

Cross Site Scripting (XSS)

Now part of A05:2025 - Injection

Cross Site Scripting attacks use your web application as a vector to spread maliciously injected scripts.

How Expedited WAF Helps

While modern web frameworks often have XSS mitigation features built into them, you still need have a 100% success rate in implementing them correctly. A slightly tweaked form input validation could accidently give near complete control of your site to an attacker.

Expedited WAF puts a second, global, always on, continuous protection for XSS shield around your application.

XML External Entities (XXE)

Now part of A05:2025 - Injection

Exploitation of application XML parsing via injection of additional entities which break the XML parser.

How Expedited WAF Helps

By blocking injection attempts Expedited WAF stops XXE attacks from occurring.

Related Security Resources

Vulnerability-Specific Guides

How to Block XSS on Heroku - Detailed guide on preventing Cross-Site Scripting attacks
How to Enable Security Headers on Heroku - Configure X-XSS-Protection, X-Frame-Options, and Content-Security-Policy headers
How to Force HTTPS on Heroku - Ensure encrypted connections to protect data in transit
How to Block Log4j Vulnerability on Heroku - Example of virtual patching against critical vulnerabilities

Attack Mitigation

DDoS Protection with CAPTCHA - Stop distributed denial of service attacks
Block Anonymous Proxies - Prevent attackers from hiding behind VPNs and proxies
Block Malicious IP Addresses - Access control for known bad actors
Credential Stuffing Protection - Defend against automated login attacks

Framework Security Checklists

Secure coding practices vary by framework. Use these checklists to ensure your application follows security best practices:

Rails Security Checklist - Ruby on Rails applications
Django Security Checklist - Python Django applications
Express Security Checklist - Node.js Express applications
Laravel Security Checklist - PHP Laravel applications
Next.js Security Checklist - React/Next.js applications
FastAPI Security Checklist - Python FastAPI applications
Flask Security Checklist - Python Flask applications

API Security

Building or maintaining an API? See our comprehensive API Security Best Practices MegaGuide covering authentication, injection attacks, rate limiting, and more.