How to Block Clients by Country and Geolocation on Heroku

Why you might need this

On the global internet, attacks can originate from any country. Often attacks will be launched disproportionately from countries that are not clients that you’re trying to attract (for subject or language reasons).

Blocking countries from connecting to your site is often an easy way to reduce the overall attacks happening against your site.


What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Block Countries from Heroku

You can block requests from individual countries to reduce the incidence of fraud or other malicious interactions.

Blocking POST requests

Blocking POST requests helps prevent malicious actions like brute-force login attempts, form hijacking (where additional fields or files are added into a form), and possible manipulation of application rules.

On the Block Bots page of your Expedited WAF dashboard, select the Country from POSTing option, and a list of countries to choose will appear.

Blocking GET requests

Blocking GET requests can stop certain forms of DDOS attacks, vulnerability scans, and fraud attempts.

On the Block Bots page, select the Country from GETing option, and a list of countries to choose will appear.


  • You can review what countries are launching attacks in the dashboard and then block the prominent ones


Learn more about Geolocation filtering.