How to Block Referring Sites on Heroku

Why you might need this

Social media, hate sites, and spammy/scraped sites may all be sending traffic to your application that you would rather not have land. In some cases this can generate storms of traffic that are functionally the same as as denial of service attack.

Blocking referred traffic is an easy way to blunt some of the unsavory traffic hitting your site.


What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Block Referring Sites on Heroku

Add referring sites to be blocked to the Block Bots page of your Expedited WAF dashboard:


  • Blocking is dependent upon the HTTP_REFERER header being passed by the browser. This may not be present for any number of reasons (HTTP -> HTTPS links in Chrome, command line tools, or browser extensions)
  • If the traffic is significant enough to be posing you uptime problems, you may need to layer on additional anti DDOS rules like CAPTCHA or Geographic restrictions.


Learn more about HTTP_REFERER headers.

Next steps

If you need help with improving your application's security, you can Book a Demo (free) to talk to a security engineer about your application security and compliance requirements. If you're ready to go, you can add the Expedited WAF add-on to your Heroku application in about 15 minutes.