How to Block User Agents on Heroku

Why you might need this

User Agents are the self-reported names that HTTP client software reports itself as - as such they’re easily changed. While that is undisputably the case, in practice many bots and malicious scripts still report as the command line tools or HTTP libraries that they’re using to generate requests.

As an example, many vulnerability probe or scanning software will report as one of the Curl User Agents

Example: PycURL/ libcurl/7.47.0

This fact makes blocking user agent blocking a useful (if often underestimated) feature.


What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Block User Agents on Heroku

Add individual user agents to be blocked to the Block Bots page of your Expedited WAF dashboard:


  • By default Expedited WAF blocks user agents which don’t match real browsers (missing or malformed agents)


Learn more about User Agents.

Next steps

If you need help with improving your application's security, you can Book a Demo (free) to talk to a security engineer about your application security and compliance requirements. If you're ready to go, you can add the Expedited WAF add-on to your Heroku application in about 15 minutes.