How To Stop DDoS Flood Attacks with Javascript Verification on Heroku

DDoS Attack Mitigation on Heroku

Web-based SAAS applications are uniquely vulnerable to Distributed Denial of Service attacks.


Compared to attacks that exploit TCP flaws or other lower network level network responses the HTTP request/response cycle of web apps is much more expensive.


Compared to other types of DDoS attacks, it can be much more of a challenge to filter out legitimate vs. illegitimate traffic. Consider an attack that uses a compromised browser extension to hammer a remote server: the requests would be virtually indistinguishable from user generated traffic.

What Users Will View

The image below is what will be shown to users who request a CAPTCHA protected URL on your Expedited WAF protected site.


What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Add CAPTCHAs to your Heroku App

Add individual URLs to be presented with a CAPTCHA challenge from the Protected Pages screen of your Expedited WAF dashboard:


  • CAPTCHA protection is optional. It is disabled by default and will only apply to the specific URLs that you include in a rule.
  • Adding the root / as a URL will CAPTCHA protect your entire site, but typically this isn’t needed.


Learn more about DDos Attacks

Need this for your Heroku App?

Find out how Expedited WAF can immediately improve your security posture, reliability and site speed. Book a time to get started or jump in on the Heroku Elements Marketplace.