Status Services → Expedited WAF → Expedited SSL → IP Investigator → Real Email Resources → Knowledge Base → AWS In Plain English → Blog → Heroku Security Resources Use Cases → DDoS Protection → Bot & Malicious Traffic Blocking → Fraud Detection & Prevention → Credential Stuffing Protection → Compliance → OWASP Top 10 Compliance → AI Scraping Prevention → Geographic Request Blocking → Virtual Patching About Contact

How to Block Referring Sites on Heroku

Why Referrer Blocking Matters

The HTTP Referer header tells your server which page linked to your content. While often used for analytics, this header can also help identify and block unwanted traffic sources. Social media mobs, hate sites, spam sites, and content scrapers can all be blocked by filtering their referrer headers.

Referrer blocking is valuable for several reasons:

  • Stops viral attack traffic from social media pile-ons
  • Blocks spam referrers that pollute your analytics
  • Prevents hotlinking of your images and media
  • Reduces load from scraped sites republishing your content
  • Protects against referrer spam from SEO manipulation attempts

When a controversial link goes viral on certain sites, the resulting traffic storm can be functionally equivalent to a DDoS attack. Referrer blocking provides a quick way to cut off the flood.

How Referrer Headers Work

When a user clicks a link on Site A to visit Site B, the browser includes Site A’s URL in the Referer header. This tells Site B where the traffic came from.

GET /page HTTP/1.1
Host: yoursite.com
Referer: https://somesite.com/page-that-linked-to-you

By checking this header, you can allow or block traffic based on its source.

Note: The header is spelled “Referer” (a historical misspelling in the HTTP specification).

Prerequisites

What you need to get started:

  1. Expedited WAF add-on installed on your Heroku application

How To Block Referring Sites on Heroku

Step 1: Open the Bot Blocking Dashboard

Navigate to your Expedited WAF dashboard and select the Block Bots page from the sidebar menu.

Step 2: Add Referrers to Block

Enter each referring domain you want to block. You can enter:

  • Full domains: spamsite.com
  • Subdomains: *.toxicsite.net
  • Specific paths: reddit.com/r/controversial

Step 3: Monitor and Adjust

Review your traffic logs to identify additional referrers to block. Traffic patterns may change as attackers or scrapers move to different sources.

Common Use Cases

Surviving Social Media Pile-Ons

When your site gets linked from a controversial thread, the sudden traffic spike can overwhelm your application. Block the referring site to stabilize your servers while the storm passes.

Blocking Spam Referrers

Spam sites send fake traffic with their URL as the referrer, hoping you’ll visit them when checking analytics. Block these to clean up your analytics data.

Preventing Hotlinking

Other sites may embed your images directly, stealing your bandwidth. Block referrers from known offenders to stop this abuse.

Stopping Scraped Content Sites

Sites that republish your content often generate traffic back to you when users click original source links. Block these if the traffic is unwanted.

Protecting Against SEO Spam

Attackers send referrer spam to get their URLs indexed in your logs, which might be publicly accessible. Block known spam referrers.

Limitations of Referrer Blocking

Referrer blocking has important limitations to understand:

Referrer may be missing:

  • Direct navigation (typing URL)
  • HTTPS to HTTP links (referrer stripped for privacy)
  • Browser privacy extensions
  • Users with “Do Not Track” enabled
  • Command-line tools (curl, wget)

Referrer can be spoofed:

  • Sophisticated attackers can fake any referrer
  • Don’t rely on referrer blocking as your only defense

Legitimate traffic from blocked sites:

  • Blocking twitter.com blocks ALL Twitter traffic, including friendly links
  • Consider more targeted rules when possible

When to Use Referrer Blocking

ScenarioUse Referrer Blocking?
Social media traffic spikeYes - quick relief
Targeted DDoS attackMaybe - combine with other rules
Spam referrer cleanupYes - effective for analytics
Preventing all scrapingNo - scrapers often omit referrers
Geographic attackNo - use geo-blocking instead

Combining with Other Rules

Referrer blocking works best as part of a layered defense:

  1. IP blocking for identified attackers
  2. Rate limiting for traffic spikes
  3. Referrer blocking for source-specific traffic
  4. CAPTCHA challenges for suspicious patterns
  5. Geographic restrictions for regional attacks

Troubleshooting

Issue: Traffic still coming through

  • Verify the referrer header is actually being sent
  • Check if traffic is coming via HTTPS from an HTTP page (referrer stripped)
  • Attackers may be spoofing or omitting the referrer

Issue: Legitimate users blocked

  • Your block rule may be too broad (e.g., blocking all of reddit.com)
  • Users may be navigating from allowed subpages
  • Consider more specific path-based rules

Issue: Analytics still show spam referrers

  • Clear your analytics cache after adding blocks
  • Some spam may have already been logged before blocking
  • Verify the WAF is correctly proxying your traffic

Resources

Learn more about HTTP referrer headers:

Get Started

Install Expedited WAF Book a Security Review