Integrated Web Application Firewall (WAF) and/or DDOS protection

heroku / roadmap

This is the public roadmap for Salesforce Heroku services.

195 stars 11 forks source link

Integrated Web Application Firewall (WAF) and/or DDOS protection #128

Open friism opened 1 year ago

friism commented 1 year ago

Required Terms

[X] I agree to follow this project's Code of Conduct
[X] I have read and accept the Salesforce Program Agreement

What service(s) is this request for?

Runtime, Routing

Tell us about what you're trying to solve. What challenges are you facing?

Currently Heroku customers have to choose and configure add-ons and/or 3rd party services to protect apps running on Heroku from assorted attacks. We have many customers asking us to integrate this into the product for easy-of-use and ease-of-setup.

stevenharman commented 1 year ago

The additional hops and TLS connections needed when using a 3rd party WAF can add unnecessary latency for a certain class of application. e.g., due to extra TLS connections and geographic hops (we can't always co-locate WAF endpoints with Heroku's runtime shards in us-east-1, etc…) For example, we saw our p95 latencies nearly double (from ~150ms to just shy of 300ms) when using a 3rd party WAF. So having it built into the Heroku platform, where we could minimize some of that - like terminating TLS at the WAF and routing plain text from there to the app, b/c it's in the same/peered VPC or something, would be fantastic.

obrientg commented 1 year ago

With Heroku built upon AWS, perhaps the option of leveraging AWS WAF and Shield Advanced for anti-DDoS protections would be an easy win?

chillu commented 1 year ago

We're pretty happy with Cloudflare for this. Given the "surface area" of a typical WAF (configuration, monitoring, alerting, rulesets, etc), I don't see how this would be feasible for Heroku to integrate into their product without some serious configurability limitations.

mrthan commented 11 months ago

For non-private tier apps, the ability to shield behind the likes of Cloudflare and ensure/assure that the *.herokuapp.com domain won't bypass it would be great. mTLS would be great, non-trivial, but great.

bf4 commented 8 months ago

I'd be pretty happy to see Heroku's security guide mention what protection the platform currently offers against DDOS and what options might be in the pipeline or via elements or services