How to Block User Agents on Heroku
Why you might need this
User Agents are the self-reported names that HTTP client software reports itself as - as such they’re easily changed. While that is undisputably the case, in practice many bots and malicious scripts still report as the command line tools or HTTP libraries that they’re using to generate requests.
As an example, many vulnerability probe or scanning software will report as one of the Curl User Agents
Example: PycURL/7.43.0.2 libcurl/7.47.0
This fact makes blocking user agent blocking a useful (if often underestimated) feature.
Prerequisites
What you need to get started:
- Expedited WAF add-on is setup in front of your application.
How To Block User Agents on Heroku
Add individual user agents to be blocked to the Block Bots page of your Expedited WAF dashboard:
Notes
- By default Expedited WAF blocks user agents which don’t match real browsers (missing or malformed agents)
Resources
Learn more about User Agents.