How to Block HTML in forms (XSS) on Heroku

Why you might need this

Cross-Site Scripting (XSS) attacks are one of the most frequent types of attacks executed against web applications. Typically malicious Javascript code is injected into an application through a form endpoint that is improperly sanitizing inputs.

Once the code has been injected, it can be used to steal data from users, launch malware and other nefarious and damaging activity.


What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Stop XSS Attacks

On the Stop Attacks page of your Expedited WAF dashboard, select the Stop Suspected Attacks option.


  • If you have forms on your site that allow HTML or Javascript inputs you may need to exempt those URLs from checking.
  • Stopping suspected attacks is a an additional layer of security on your site and should function alongside solid development practices, patching and testing


More reading and framework resources on prevention of XSS attacks