Skip Navigation
Show nav
Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
    • .NET
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Compute (Dynos)
      • Dyno Management
      • Dyno Concepts
      • Dyno Behavior
      • Dyno Reference
      • Dyno Troubleshooting
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Developer Tools
    • Command Line
    • Heroku VS Code Extension
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery & Integration (Heroku Flow)
    • Continuous Integration
  • Language Support
    • Node.js
      • Working with Node.js
      • Node.js Behavior in Heroku
      • Troubleshooting Node.js Apps
    • Ruby
      • Rails Support
      • Working with Bundler
      • Working with Ruby
      • Ruby Behavior in Heroku
      • Troubleshooting Ruby Apps
    • Python
      • Working with Python
      • Background Jobs in Python
      • Python Behavior in Heroku
      • Working with Django
    • Java
      • Java Behavior in Heroku
      • Working with Java
      • Working with Maven
      • Working with Spring Boot
      • Troubleshooting Java Apps
    • PHP
      • PHP Behavior in Heroku
      • Working with PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
    • .NET
      • Working with .NET
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
      • Migrating to Heroku Postgres
    • Heroku Key-Value Store
    • Apache Kafka on Heroku
    • Other Data Stores
  • AI
    • Working with AI
    • Heroku Inference
      • Inference API
      • Quick Start Guides
      • AI Models
      • Inference Essentials
    • Vector Database
    • Model Context Protocol
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
      • Single Sign-on (SSO)
    • Private Spaces
      • Infrastructure Networking
    • Compliance
  • Heroku Enterprise
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Add-ons
  • All Add-ons
  • Expedited CDN
Expedited CDN

This add-on is operated by Expedited Security

Content Delivery Network tuned for Heroku.

Expedited CDN

Last updated June 29, 2021

Table of Contents

  • Provisioning the Add-on
  • Post-provisioning Configuration
  • Blocking IP Addresses
  • DDoS HTTP flood protection
  • Forcing HTTPS
  • Caching and Compression for Site Speed
  • Caching Profiles
  • Compression Settings
  • SSL Certificates for HTTPS
  • TLS 1.2 and 1.3
  • Logging
  • Troubleshooting
  • Migrating Between Plans
  • Removing the Add-on
  • Support

Expedited CDN is an add-on that provides a content delivery network (CDN) as a service to improve the speed and availability of your Heroku applications.

Expedited CDN sits in front of your application, caching requests in a worldwide network of asset servers. It algorithmically routes inbound requests to your application based on network availability and geographic location.

Expedited CDN automatically:

  • Speeds up how fast your site loads (CDN)
  • Reduces load on your Heroku application
  • Increases your site’s availability
  • Lets you prioritize network traffic

The add-on also identifies DDoS attacks and abusive traffic. Automated bots continually search the web for vulnerable applications, performing actions like:

  • Scanning for unsecured admin screens
  • Identifying frameworks with known vulnerabilities
  • Brute-forcing passwords
  • Submitting bogus forms to reveal sensitive information

Expedited CDN helps identify all of these malicious actions while speeding up your site.

CDN Overview

Provisioning the Add-on

Prerequisites

Expedited CDN requires that your app has an associated custom domain and that it’s reachable at that domain. Read this article to learn how to configure one for your app.

To complete the setup, you must also have access to change your site’s DNS configuration.

Attach the Add-on to Your Application

Attach Expedited CDN to a Heroku application via the CLI:

A list of all plans available can be found here.

$ heroku add-ons: add expeditedcdn --app your-app-name
-----> Adding expeditedcdn to sharp-mountain-4005... done, v18 (free)

Post-provisioning Configuration

After provisioning the add-on, click on Expedited CDN from your app’s Resources tab in the Heroku Dashboard to begin setup. You can also open it with the Heroku CLI:

$ heroku add-ons:open expeditedcdn

The setup walks you through the following steps:

  1. Selecting your domain
  2. Configuring DNS
  3. Testing DNS

Although you have a great degree of flexibility in configuring Expedited CDN, its default configuration is intended to:

  • Minimize risk, hassle, and complexity of setup
  • Work for the majority of Heroku applications
  • Give you a solid base for customizing caching rules

Blocking IP Addresses

From the Block/Allow IPs page of your Expedited CDN dashboard, add each IP or CIDR-notated IP range that you want to block:

Block IPs

All requests from that IP or range are stopped at the CDN and don’t reach your Heroku application.

DDoS HTTP flood protection

Distributed Denial of Service (DDoS) attacks seek to overwhelm your application with illegitimate requests. Network-protocol-based DDoS attempts like UDP floods, ICMP floods, and other attacks are automatically blocked.

Application-level DDoS attempts (where massive numbers of HTTP GET/POST requests are issued in rapid succession) are more difficult to block, because outwardly they look like legitimate traffic.

If you’re currently under DDoS attack or suspect that you will be, set the HTTP Flood (DDOS) Mode setting on the Stop Attacks page of your Expedited CDN dashboard to Filtering. This setting forces each client making requests to be able to execute JavaScript.

HTTP Flood Prevention for DDOS

This requirement eliminates most DDOS HTTP Floods, which are conducted with low-resource, script-based tools that can’t run JavaScript.

IP Protection

You can set URLs to only allow requests from specified IP addresses. This IP protection is often used along with other application-specific security and authorization tools to provide an additional layer of security on high-value URLs, like /admin.

Forcing HTTPS

You can set the option to force all client requests from http to https on the Stop Attack page.

Caching and Compression for Site Speed

Expedited CDN improves site speed and page load times in the following ways:

  • It caches assets like images, JavaScript, and CSS on edge servers.
  • It opportunistically compresses data in transit.
  • It uses modern protocols to bundle connections, which reduces latency.

Edge Network Points of Presence

Expedited CDN routes client requests to edge servers located at both geographic population centers and strategic network locations. After filtering for attacks, rules matches, and DDOS signs, Expedited CDN passes these requests to your Heroku application. It compresses and caches responses.

Point of Presence Map

Caching Profiles

Cache profiles outline the broad settings most applicable to your site. They provide a reliable default configuration, which you can modify to match exactly what your site needs.

Profile HTML Pages Redirects 404s Assets Cache-Control Respected
Full Site Profile 180 mins 180 mins 4 mins 3 days No
Assets Only Profile Not Cached 10 mins 1 min 3 days Yes

Full Site Profile

Use this profile if your entire site is public, with pages that don’t require users to log in and nor displays different information to different users.

  • Pages cached 180 minutes
  • Redirects cached 180 minutes
  • 404’s cached for 4 minutes
  • Asset files (images, js, and css) cached 3 days
  • Cache-Control headers ignored

Assets Only Profile

Use this profile if your application is mostly dynamic. For example, if pages are customized to the user that is logged in, or update with data in the background.

  • Pages aren’t cached
  • Redirects cached for 10 minutes
  • 404’s cached for 1 minute
  • Asset files (images, js, and css) cached 3 days
  • Cache-Control headers respected

HTTP Response Cache-Control header directives are how your application tells the CDN what URLs to cache and for how long.

Asset File Caching Details

The edge network caches asset files such as multimedia files, JavaScript, and CSS typically according to the profiles shown previously.

Modern web framework asset handling often renames files with distinct fingerprints or means of assisting with asset caching. If those methods aren’t available in your framework, you must manually clear the cache after deploying your application.

Asset File Extensions

Files served by your Heroku application that end in any of the following file extensions are considered assets. Expedited CDN caches these assets for 3 days:

js, css, png, swf, jpg, jpeg, svg, svz, gif, ico, mp3, mp4, odf, pdf, woff, woff2, ttf, thumb, webp, txt, otf, 7z, aac, ai, asf, avi, bmp, bz2, doc, docx, eot, eps, fla, flv, gz, ind, m4a, m4v, mkv, mko, mpeg, oga, ogx, pptx, psd, rar, rtf, tar, tgz, tiff, wav, xlsx, xml, zip, zipx

Versioning Cache URLs

Expedited CDN considers URL parameters to be distinct resources for caching. For example:

https://example.com/users/?id=1

and

https://example.com/users/?id=2

are distinct. Requesting the second doesn’t return the cached results for the first. You can version URLs within your application by appending different URL parameters to any URL that you don’t need cached.

Clearing the Cache Manually

On the Site Speed Up page of your Expedited CDN dashboard, there’s a Clear Cache button. Clicking this button removes all currently cached responses and assets stored across the edge network and served to clients.

Compression Settings

Compression settings are enabled by default and are unlikely to interfere with proper functioning of your application.

Enabling doesn’t automatically compress your files but supports passthrough compression.

GZip Compression

GZip compresses pages to reduce the overall amount of time spent sending information from the edge network to the user’s browser.

Brotli Compression

Modern browsers can use Brotli compression instead of GZip. This compression helps further reduce the overall amount of time spent sending information from the edge network to the user’s browser.

HTTP2 (“SPDY”)

HTTP2 is an improved protocol for web traffic. It takes fewer resources, uses them more effectively, and gracefully falls back on clients where it’s not supported.

SSL Certificates for HTTPS

All sites are automatically issued a new SSL/TLS certificate as part of their setup. This certificate encrypts communications between clients and the site via HTTPS.

TLS 1.2 and 1.3

Expedited CDN only connects to HTTP clients via TLS 1.2 and TLS 1.3.

Prior versions of TLS and SSL used by legacy HTTP clients aren’t accepted. This prevents downgrade attacks and ensures that your Heroku app can establish secure communications with external clients.

Expedited CDN defaults to TLS version 1.3 (latest) and sets of secure cipher suites. These suites are selected specifically to work with Heroku and provide optimum speed and security.

TLS 1.2+ is a common requirement for GDPR, HIPPA, CCPA, and PCI compliance regulations.

Logging

As the CDN exists between your Heroku application and the general Internet, log entries aren’t passed back to Heroku.

Similarly, requests blocked by the CDN aren’t displayed in the Heroku logs.

Troubleshooting

The most common issues with setting up your CDN relate to DNS and delayed DNS propagation. Check that the built-in DNS tester in the CDN dashboard states you’re set up correctly. If so, the best option is to wait an hour for DNS to fully propagate before making additional changes.

Migrating Between Plans

You can migrate between plans at any time as your security, site traffic, and caching needs change.

Removing the Add-on

Expedited CDN can be removed via the CLI.

This action brings down your running application if you haven’t first migrated your DNS to another endpoint.

$ heroku add-ons:remove expeditedcdn --app your-app-name
-----> Removing expeditedcdn from sharp-mountain-4005... done, v20 (free)

Support

Submit all Expedited CDN support and runtime issues via one of the Heroku Support channels. Any non-support related issues or product feedback is welcome at mike@expeditedsecurity.com

Keep reading

  • All Add-ons

Feedback

Log in to submit feedback.

Zara 4 Expedited SSL

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure
  • .NET

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing
  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Github
  • LinkedIn
  • © 2025 Salesforce, Inc. All rights reserved. Various trademarks held by their respective owners. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States
  • heroku.com
  • Legal
  • Terms of Service
  • Privacy Information
  • Responsible Disclosure
  • Trust
  • Contact
  • Cookie Preferences
  • Your Privacy Choices