How to Block User Agents on Heroku

Why you might need this

User Agents are the self-reported names that HTTP client software reports itself as - as such they’re easily changed. While that is undisputably the case, in practice many bots and malicious scripts still report as the command line tools or HTTP libraries that they’re using to generate requests.

As an example, many vulnerability probe or scanning software will report as one of the Curl User Agents

Example: PycURL/7.43.0.2 libcurl/7.47.0

This fact makes blocking user agent blocking a useful (if often underestimated) feature.

Prerequisites

What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Block User Agents on Heroku

Add individual user agents to be blocked to the Block Bots page of your Expedited WAF dashboard:

Notes

  • By default Expedited WAF blocks user agents which don’t match real browsers (missing or malformed agents)

Resources

Learn more about User Agents.