Since you first signed up with Expedited SSL, we have launched a new (and in all respects better) service called Expedited WAF.
Expedited WAF is more secure, has features to help stop attacks, block malicious traffic and speed up your site, best of all it costs the same or a little less than what you’re paying for Expedited SSL currently.
OLD/CURRENT: Expedited SSL
Expedited SSL is the Heroku Add-On that you’re been using to provide your site with an SSL (TLS) certificate.
SSL/TLS certificates establish a basic secured connection between clients (browsers, apps) and your site.
NEW/UPGRADE: Expedited WAF
Expedited WAF is a Web Application Firewall for your Heroku application.
A Web Application Firewall (WAF) is like a professional bodyguard except instead of keeping paparazzi and stalkers away from you; it makes your web application safer by blocking:
- Attacks like XSS, CSRF, and SQL Injection
- Denial of Service Probes and attacks
- Bad IPs (that you specify or those identified from prior attacks on the network)
- Anonymous Proxies used for attacks
- Geolocations where specific attacks erupt from
It will, of course, also supply you with a fresh SSL certificate and a new TLS configuration that’s significantly more secure.
Who Uses Web Application Firewalls?
To date, most of the Heroku clients who have used Expedited WAF were:
- In a high-security environment for financial or healthcare
- Needed to pass a Security Audit or Penetration Test of their application
- Were actively under attack and their site was offline
However, any application on Heroku (even a static website) will see improvements from using Expedited WAF.
All web applications are constantly probed by bots looking for vulnerabilities, which can then blow up into full attacks.
Frequently Asked Questions
What Does This Cost?
Depending on your current setup with Expedited SSL and Heroku’s SNI and SSL Endpoints moving to Expedited WAF will either cost the same or slightly less each month (and you’ll have a considerably more secure application).
You should have also received an email from Heroku granting you access to the invite-only migration plans with the migration pricing discounts factored in.
How Much Time Does It Take?
Start to Finish the migration process typically takes around an hour, but that’s usually 10 minutes of you setting things up and 50 minutes of waiting for DNS and provisioning to happen.
Is there any Downtime?
There is no downtime.
The onboarding wizard walks you through all the steps to get things configured.
You’ll need to change a few DNS records to get things set up, and as these clients update, we will smoothly rollover to having requests filtered through the firewall.
How Does a WAF Work?
A Web Application Firewall sits between the raw Internet and your Heroku application, examining each new request for potential issues. It evaluates where the request is coming from and compares it to a global list of bad actors that we continuously maintain.
[ADD WAF DIAGRAM]
The WAF works entirely through DNS. There are no code changes required and no lock-in.
Why Are You Making Me Do This?
It may sound a little cheesy, but we do truly want to help make the Internet a safer place, and using a WAF to protect your application is an improvement in every aspect of your site’s security.
Since we launched Expedited WAF, we’ve seen first hand how bad things can get. Many customers sign up in the middle of:
A massive credential stuffing attack that’s taken them offline. A DDoS attack that’s overwhelmed their ability to scale dynos. A security audit or penetration test that they’ve failed. Recovering from an attack that lead to data loss
Given that we can provide a service that can prevent that for others for the same cost as just an SSL certificate, it just seems kind of ridiculous to not migrate people.
For the above reasons, we’re sunsetting ExpeditedSSL and migrating all clients over to Expedited WAF.
Can I opt-out?
Yes. We’re not trying to force or lock anybody into working with us, and while we do think this is a positive move, we’d never be arrogant enough to think that we’re the right choice for anybody.
We’re happy to recommend some alternatives if this doesn’t make sense for you right now. However, we’re not renewing ExpeditedSSL certificates.
What Should I Look Out For?
While in general, there are very few problems with switching from SSL to WAF two potential areas for problems exist:
1. Websockets Support
No, the WAF only supports the HTTP (Web) protocol as Websockets are a distinct protocol they will not pass through to the WAF.
Clients tend to choose one of two options depending on their security needs:
WebSocket DomainAdding a dedicated WebSockets domain like “socket.example.com” that is only for socket endpoints. This is useful when there are not attacks happening against your WebSocket connections.
Fallback HTTP Falling back to HTTP. Most WebSocket clients will fall back to communicating over HTTP if they cannot make a WebSocket connection. This is useful if your WebSocket endpoints are actually what is under attack as you can use the WAF security controls to block the attackers.
2. URL Encodings
The WAF inspects requests for threats like SQLinjection, XSS and CSRF. These filters can be falsely triggered if your application is not encoding URL path or Form Data correctly.
If this occurs in your app the suggested process is to whitelist the path
The main deadline that’s been imposed on us is your SSL certificate expiring. You’ll need to either migrate to Expedited WAF or an alternative SSL setup to keep your site accessible.
What if I Did Not Receive the Plan Invite?
Please email firstname.lastname@example.org with the domain and we’ll issue a new invite.
Note: the email will be coming from an @heroku.com email address if you need to search through Spam filters.
Before you get started
- Make sure that you have access to your DNS configuration and can update records
- Make sure that you have access to add/remove add-ons from your Heroku application
- Check that your current site is returning a 200 HTTP response on the root path.
- Check that you’ve received the migration plan invite from Heroku
Can I get More Help?
Support is available 24⁄7 via email at email@example.com - please include the domain in question in your email.
If you have more involved questions or concerns, you can book a 1:1 session below: