How to Choose What SSL/TLS/HTTPS option to use on Heroku
Why are there options?
Different Heroku applications are used for different purposes and it’s important to choose a method of securing data in transit to your application that matches the sensitivity and privacy needs of your application.
Help Me Choose
You can read all of the different options below, but if you’re in a hurry, check your requirements below and we’ll suggest the best option that meets those.
We suggest you use the built in Heroku ACM
You didn't choose any of the extra requirements above so you should most likely be good with Heroku's built in SNI/ACM/Lets Encrypt option. Heroku SNI is a great free option for simple websites with low security requirements.What’s the Difference Between SSL/TLS/HTTPS
SSL stands for Secure Sockets Layer and was the orginal term used to describe the system of encrypting traffic between websites and clients (like browsers).
TLS stands for Transport Layer Security and more accurately describes the encryption process at work, but outwardly performs the same task as “SSL”.
HTTPS stands for HyperText Transport Protocol Secure and is the protocol enabled by SSL/TLS certificates and infrastrcture. It’s best thought of as how applications use SSL/TLS certificates.
What you need to know about TLS versions
In the same way that different browsers and browser versions support different sets of features like Flexbox, Flash, or CSS Grid. Web servers and clients support different versions of the TLS protocol with varying levels of compatabiilty and security.
In order from oldest and least secure to newest and most secure:
SSL | Should not be used under any circumstances. |
---|---|
TLS 1.0 | Should not be used. |
TLS 1.1 | Minimum to support for applications that need compatibility with older devices like early Android phones. |
TLS 1.2 | Minimum safe level for applications that prioritize security. |
TLS 1.3 | Newest and most secure TLS version |
Heroku Options for HTTPS
Heroku SNI Endpoint (also called ACM or Lets Encrypt) - More Info | ||
---|---|---|
What to Use It For | Positives | Negatives |
Marketing sites or other low security applications |
|
|
Heroku SSL Endpoint Add-On - More Info | ||
What to Use It For | Positives | Negatives |
Sites that need to use Wildcard certificates to cover many subdomains (*.example.com) |
|
|
Heroku Expedited WAF Add-On - More Info | ||
What to Use It For | Positives | Negatives |
Sites that need to meet regulatory concerns, security audits or advanced security and traffic controls. |
|
Costs more than plain SSL. |