How To Stop DDoS Flood Attacks with Javascript Verification on Heroku

DDoS Attack Mitigation on Heroku

Web-based SAAS applications are uniquely vulnerable to Distributed Denial of Service attacks.


Compared to attacks that exploit TCP flaws or other lower network level network responses the HTTP request/response cycle of web apps is much more expensive.


Compared to other types of DDoS attacks, it can be much more of a challenge to filter out legitimate vs. illegitimate traffic. Consider an attack that uses a compromised browser extension to hammer a remote server: the requests would be virtually indistinguishable from user generated traffic.

What Users Will View

The image below is what will be shown to users who request a CAPTCHA protected URL on your Expedited WAF protected site.


What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Add CAPTCHAs to your Heroku App

Add individual URLs to be presented with a CAPTCHA challenge from the Protected Pages screen of your Expedited WAF dashboard:


  • CAPTCHA protection is optional. It is disabled by default and will only apply to the specific URLs that you include in a rule.
  • Adding the root / as a URL will CAPTCHA protect your entire site, but typically this isn’t needed.


Learn more about DDos Attacks

Try Expedited WAF.
Get a Free Tee.

Option 1: Install Expedited WAF (the Web Application Firewall service that shields your Heroku applications from attacks) from the Heroku Elements Marketplace..

Seven days later we'll ask for some feedback and your (US or Canada only) shipping details.

Option 2: Select a Date & Time below to talk to us about your existing web application security framework and see how Expedited WAF can help better secure your Heroku applications.