David Kimura PRO said almost 3 years ago on Authentication from Scratch :
  you are essentially putting a pause on that thread so it is not ideal. However, I think that it must be weighed given the situation with potentially leaking exposing customer emails. This was more of an illustration of one of the things that a developer may not think of that a bad actor may.

I am not sure about Heroku default app servers. I typically would use the Procfile to specify booting up Puma, so that would probably be a non issue. Their documentation does have a recommendation for using Puma as well. https://devcenter.heroku.com/articles/ruby-default-web-server#production-web-server