How to Choose What SSL/TLS/HTTPS option to use on Heroku
Why are there options?
Different Heroku applications are used for different purposes and it’s important to choose a method of securing data in transit to your application that matches the sensitivity and privacy needs of your application.
Help Me Choose
You can read all of the different options below, but if you’re in a hurry, check your requirements below and we’ll suggest the best option that meets those.
We suggest you use the built in Heroku ACM
You didn't choose any of the extra requirements above so you should most likely be good with Heroku's built in SNI/ACM/Lets Encrypt option.
<p/>
Heroku SNI is a great free option for simple websites with low security requirements.
</h4>
We suggest you use the Heroku SSL Add-On
The Heroku SSL add-on let you install custom certifiates into a managed SSL terminating instance separate from your Heroku application.
<p/>
<span class='wildcard-addendum'>
Your need for <strong>wildcard sub-domain support</strong> is no problem as a custom wildcard SSL/TLS certificate will be installed into the SSL Endpoint as part of the Expedited SSL Setup of Wildcard certificates.<p/>
</span>
<span class='multidomain-addendum'>
Your need to secure <strong>multiple unique domains</strong> can be accomodated by using Fly.io together with the SSL Endpoint. As this is a complicated architectural change we would recommend you set up a time to talk with a support engineer before implementing anything.
</span>
</h4>
We suggest you use the Expedited WAF Add-On
Expedited WAF provides security controls necessary to pass security audits and meet data regulations. It will also enforce secure TLS 1.2+ connections and reject unencrypted HTTP traffic.
Your need for wildcard sub-domain support is no problem as a custom wildcard SSL/TLS certificate will be installed onto the WAF for you as part of the setup.
Your need to secure multiple unique domains can be accomodated by using Fly.io together with Expedited WAF. As this is a complicated architectural change we would recommend you set up a time to talk with a support engineer before implementing anything.
</h4>
What’s the Difference Between SSL/TLS/HTTPS
SSL stands for Secure Sockets Layer and was the orginal term used to describe the system of encrypting traffic between websites and clients (like browsers).
TLS stands for Transport Layer Security and more accurately describes the encryption process at work, but outwardly performs the same task as “SSL”.
HTTPS stands for HyperText Transport Protocol Secure and is the protocol enabled by SSL/TLS certificates and infrastrcture. It’s best thought of as how applications use SSL/TLS certificates.
What you need to know about TLS versions
In the same way that different browsers and browser versions support different sets of features like Flexbox, Flash, or CSS Grid. Web servers and clients support different versions of the TLS protocol with varying levels of compatabiilty and security.
In order from oldest and least secure to newest and most secure:
SSL
Should not be used under any circumstances.
TLS 1.0
Should not be used.
TLS 1.1
Minimum to support for applications that need compatibility with older devices like early Android phones.
TLS 1.2
Minimum safe level for applications that prioritize security.
TLS 1.3
Newest and most secure TLS version
Heroku Options for HTTPS
<tr style='background-color: #ededed'>
<th colspan='3'>Heroku SNI Endpoint (also called ACM or Lets Encrypt) - <a href='https://devcenter.heroku.com/articles/automated-certificate-management">More Info</a></th>
</tr>
<tr>
<th>What to Use It For</th>
<th>Positives</th>
<th>Negatives</th>
</tr>
<tr>
<td>Marketing sites or other low security applications</td>
<td>
<ul>
<li>Free for <a href="https://devcenter.heroku.com/articles/dyno-types">Hobby</a> and up plans</li>
<li>Easy set up from "Settings" pane of your Heroku app</li>
<li>Heroku provides the SSL/TLS certificate</li>
</ul>
</td>
<td>
<ul>
<li>Not possible to meet regulatory or security requirements for TLS versions.</li>
<li>Will not force HTTPS for all connections</li>
<li>No Security or Traffic Controls</li>
</ul>
</td>
</tr>
<tr style='background-color: #ededed'>
<th colspan='3'>Heroku SSL Endpoint Add-On - <a href='https://devcenter.heroku.com/articles/ssl#manually-uploading-certificates-and-intermediaries'>More Info</a></th>
</tr>
<tr>
<th>What to Use It For</th>
<th>Positives</th>
<th>Negatives</th>
</tr>
<tr>
<td>Sites that need to use Wildcard certificates to cover many subdomains (*.example.com)</td>
<td>
<ul>
<li>Easy set up with <a href='https://elements.heroku.com/addons/expeditedssl'>Expedited SSL</a> provided certificates.</li>
<li>Wildcard makes adding future subdomains easy</li>
</ul>
</td>
<td>
<ul>
<li>Won't meet TLS regulatory requirements by default</li>
<li>No Security or Traffic Controls</li>
<li>Will not force HTTPS for all connections</li>
</ul>
</td>
</tr>
<tr style='background-color: #ededed'>
<th colspan='3'>Heroku Expedited WAF Add-On - <a href='https://elements.heroku.com/addons/expeditedwaf">More Info</a></th>
</tr>
<tr>
<th>What to Use It For</th>
<th>Positives</th>
<th>Negatives</th>
</tr>
<tr>
<td>Sites that need to meet regulatory concerns, security audits or advanced security and traffic controls.</td>
<td>
<ul>
<li>Easy to set up (one DNS record change)</li>
<li>Security controls for blocking web and DDOS attacks, bad bots, geo-blocking, IP blocking and intrustion detection.</li>
<li>Enforces TLS 1.2+ connections only</li>
<li><a href='/heroku/how-to-force-https-on-heroku/'>Force HTTPS</a> connections only.</li>
</ul>
</td>
<td>
Costs more than plain SSL.
</td>
</tr>