How to Choose What SSL/TLS/HTTPS option to use on Heroku

Why are there options?

Different Heroku applications are used for different purposes and it’s important to choose a method of securing data in transit to your application that matches the sensitivity and privacy needs of your application.

Help Me Choose

You can read all of the different options below, but if you’re in a hurry, check your requirements below and we’ll suggest the best option that meets those.

Your app needs to conform to data security regulations like PCI, HIPAA, GDPR, CCPA or other US state regulations.

Your app uses many different dynamic subdomains. Example: one.example.com, two.example.com

An external group is going to conduct a security audit or penetration test against your Heroku application.

You need security controls in place to counter things like abusive IP addresses, DDOS attacks, or to automatically filter out known bad hosts and attacks against your Heroku application.

We suggest you use the built in Heroku ACM

You didn't choose any of the extra requirements above so you should most likely be good with Heroku's built in SNI/ACM/Lets Encrypt option.

Heroku SNI is a great free option for simple websites with low security requirements.

What’s the Difference Between SSL/TLS/HTTPS

SSL stands for Secure Sockets Layer and was the orginal term used to describe the system of encrypting traffic between websites and clients (like browsers).

TLS stands for Transport Layer Security and more accurately describes the encryption process at work, but outwardly performs the same task as “SSL”.

HTTPS stands for HyperText Transport Protocol Secure and is the protocol enabled by SSL/TLS certificates and infrastrcture. It’s best thought of as how applications use SSL/TLS certificates.

What you need to know about TLS versions

In the same way that different browsers and browser versions support different sets of features like Flexbox, Flash, or CSS Grid. Web servers and clients support different versions of the TLS protocol with varying levels of compatabiilty and security.

In order from oldest and least secure to newest and most secure:

SSL Should not be used under any circumstances.
TLS 1.0 Should not be used.
TLS 1.1 Minimum to support for applications that need compatibility with older devices like early Android phones.
TLS 1.2 Minimum safe level for applications that prioritize security.
TLS 1.3 Newest and most secure TLS version

Heroku Options for HTTPS

Heroku SNI Endpoint (also called ACM or Lets Encrypt) - More Info
What to Use It For Positives Negatives
Marketing sites or other low security applications
  • Free for Hobby and up plans
  • Easy set up from "Settings" pane of your Heroku app
  • Heroku provides the SSL/TLS certificate
  • Not possible to meet regulatory or security requirements for TLS versions.
  • Will not force HTTPS for all connections
  • No Security or Traffic Controls
Heroku SSL Endpoint Add-On - More Info
What to Use It For Positives Negatives
Sites that need to use Wildcard certificates to cover many subdomains (*.example.com)
  • Easy set up with Expedited SSL provided certificates.
  • Wildcard makes adding future subdomains easy
  • Won't meet TLS regulatory requirements by default
  • No Security or Traffic Controls
  • Will not force HTTPS for all connections
Heroku Expedited WAF Add-On - More Info
What to Use It For Positives Negatives
Sites that need to meet regulatory concerns, security audits or advanced security and traffic controls.
  • Easy to set up (one DNS record change)
  • Security controls for blocking web and DDOS attacks, bad bots, geo-blocking, IP blocking and intrustion detection.
  • Enforces TLS 1.2+ connections only
  • Force HTTPS connections only.
Costs more than plain SSL.