Status Services → Expedited WAF → Expedited SSL → IP Investigator → Real Email Resources → Knowledge Base → AWS In Plain English → Blog → Heroku Security Resources Use Cases → DDoS Protection → Bot & Malicious Traffic Blocking → Fraud Detection & Prevention → Credential Stuffing Protection → Compliance → OWASP Top 10 Compliance → AI Scraping Prevention → Geographic Request Blocking → Virtual Patching About Contact

How to Enable Rate Limiting on Heroku

Why Rate Limiting Matters

Rate limiting controls how many requests a client can make to your application within a given time period. Without rate limiting, attackers can overwhelm your application with requests, brute force authentication endpoints, or abuse your API.

Rate limiting protects your Heroku application from:

  • Brute force attacks guessing passwords or API keys
  • Credential stuffing using stolen username/password combinations
  • API abuse by aggressive integrations or scrapers
  • DDoS attacks flooding your servers with requests
  • Resource exhaustion from runaway scripts or bots

Rate limiting is especially critical for authentication endpoints, API routes, and any resource-intensive operations.

How Rate Limiting Works

Rate limiting tracks requests from each client (usually by IP address) and enforces a maximum number of requests per time window. When a client exceeds the limit, further requests are blocked until the window resets.

Example: Allow 100 requests per minute per IP

  • Requests 1-100: Allowed
  • Requests 101+: Blocked with 429 Too Many Requests
  • After 1 minute: Counter resets

Different rate limit strategies work better for different scenarios.

Rate Limiting Strategies

Per-IP Rate Limiting

The most common approach—limit requests based on the client’s IP address.

Best for:

  • General abuse prevention
  • Protecting public endpoints
  • Stopping unsophisticated attacks

Limitations:

  • Users behind NAT/proxy share IPs
  • Attackers can use multiple IPs

Per-Endpoint Rate Limiting

Apply different limits to different routes based on their sensitivity and resource cost.

Example limits:

  • /login: 5 requests per minute (prevent brute force)
  • /api/search: 30 requests per minute (expensive query)
  • /api/users: 100 requests per minute (cheap read)

Per-User Rate Limiting

For authenticated APIs, rate limit by user account rather than IP. This prevents abuse while allowing legitimate users behind shared IPs.

Best for:

  • Authenticated APIs
  • SaaS applications
  • Mobile app backends

Prerequisites

What you need to get started:

  1. Expedited WAF add-on installed on your Heroku application

How to Enable Rate Limiting on Heroku

Step 1: Open the Security Settings

Navigate to your Expedited WAF dashboard and select the Stop Attacks page from the sidebar menu.

Step 2: Configure Rate Limits

Set your rate limiting rules:

  • Requests per window: How many requests to allow (e.g., 100)
  • Window duration: Time period for the limit (e.g., 60 seconds)
  • Scope: Per-IP, per-endpoint, or global

Step 3: Define Endpoint-Specific Limits

For sensitive endpoints, create more restrictive rules:

EndpointLimitWindowReason
/login51 minutePrevent brute force
/signup31 minutePrevent spam accounts
/api/password-reset35 minutesPrevent enumeration
/api/*1001 minuteGeneral API protection

Step 4: Configure Response Behavior

Choose how to handle rate-limited requests:

  • Block: Return 429 Too Many Requests
  • CAPTCHA: Challenge with CAPTCHA before allowing
  • Delay: Slow down responses instead of blocking

Common Use Cases

Protecting Login Endpoints

Authentication endpoints are prime targets for brute force attacks. Apply strict rate limits:

/login: 5 requests per minute
/auth/*: 10 requests per minute

Consider CAPTCHA challenges after 3 failed attempts.

Securing APIs

Public APIs need rate limiting to prevent abuse:

/api/*: 100 requests per minute per IP

Higher limits for authenticated users, lower for anonymous.

Preventing Scraping

Content scrapers often hit your site rapidly. Rate limiting slows them down:

Global: 60 requests per minute per IP

Combine with user-agent blocking for better protection.

Handling Traffic Spikes

Rate limiting prevents legitimate traffic spikes from overwhelming your dynos. Configure limits slightly above normal traffic levels to absorb spikes gracefully.

Rate Limit Headers

When rate limiting is enabled, Expedited WAF adds headers to help clients track their usage:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1623456789

API clients can use these headers to implement backoff strategies.

Troubleshooting

Issue: Legitimate users being rate limited

  • Check if users share IPs (corporate proxy, NAT)
  • Consider per-user rate limiting for authenticated endpoints
  • Increase limits if they’re too restrictive

Issue: Attacks still getting through

  • Attackers may be using distributed IPs
  • Combine rate limiting with CAPTCHA challenges
  • Add geographic blocking for regions you don’t serve

Issue: API integrations failing

  • Partner integrations may need higher limits
  • Allowlist known integration IPs
  • Provide dedicated API keys with custom limits

Choosing Rate Limits

Finding the right limits requires balancing security and usability:

Too restrictive:

  • Frustrates legitimate users
  • Breaks integrations
  • Increases support tickets

Too permissive:

  • Doesn’t stop attacks
  • Wastes server resources
  • May not meet compliance requirements

Start conservative and adjust:

  1. Set limits based on expected traffic
  2. Monitor blocked requests
  3. Adjust limits based on patterns
  4. Create exceptions for known good actors

Resources

Learn more about rate limiting:

Get Started

Install Expedited WAF Book a Security Review