How to Choose What SSL/TLS/HTTPS option to use on Heroku

Why are there options?

Different Heroku applications are used for different purposes and it’s important to choose a method of securing data in transit to your application that matches the sensitivity and privacy needs of your application.

Help Me Choose

You can read all of the different options below, but if you’re in a hurry, check your requirements below and we’ll suggest the best option that meets those.

	Data Security Regulations Your app needs to conform to data security regulations like PCI, HIPAA, GDPR, CCPA or other US state regulations.
	Wildcard Subdomains Your app uses many different dynamic subdomains. Example: one.example.com, two.example.com
	Security Audits An external group is going to conduct a security audit or penetration test against your Heroku application.
	Security Controls You need security controls in place to counter things like abusive IP addresses, DDOS attacks, or to automatically filter out known bad hosts and attacks against your Heroku application.

We suggest you use the built in Heroku ACM

You didn't choose any of the extra requirements above so you should most likely be good with Heroku's built in SNI/ACM/Lets Encrypt option.

Heroku SNI is a great free option for simple websites with low security requirements.

We suggest you use the Heroku SSL Add-On

The Heroku SSL add-on lets you install custom certificates into a managed SSL terminating instance separate from your Heroku application.

We suggest you use the Expedited WAF Add-On

Expedited WAF provides security controls necessary to pass security audits and meet data regulations. It will also enforce secure TLS 1.2+ connections and reject unencrypted HTTP traffic.

What’s the Difference Between SSL/TLS/HTTPS

SSL stands for Secure Sockets Layer and was the orginal term used to describe the system of encrypting traffic between websites and clients (like browsers).

TLS stands for Transport Layer Security and more accurately describes the encryption process at work, but outwardly performs the same task as “SSL”.

HTTPS stands for HyperText Transport Protocol Secure and is the protocol enabled by SSL/TLS certificates and infrastrcture. It’s best thought of as how applications use SSL/TLS certificates.

What you need to know about TLS versions

In the same way that different browsers and browser versions support different sets of features like Flexbox, Flash, or CSS Grid. Web servers and clients support different versions of the TLS protocol with varying levels of compatabiilty and security.

In order from oldest and least secure to newest and most secure:

SSL	Deprecated. Should not be used under any circumstances.
TLS 1.0	Deprecated. Should not be used.
TLS 1.1	Deprecated. All major browsers dropped support in 2020. Should not be used.
TLS 1.2	Minimum required version. Required for PCI DSS compliance and supported by all modern browsers and devices.
TLS 1.3	Recommended. Newest, fastest, and most secure TLS version with improved performance and stronger encryption.

TLS Requirements by Compliance Framework

If your application needs to meet compliance requirements, understanding the specific TLS version requirements for each framework is essential. Different standards have varying levels of specificity about which TLS versions are acceptable.

Framework	Minimum TLS	Details
PCI DSS	TLS 1.2	Explicitly required since June 2018. TLS 1.0 and 1.1 are prohibited and not considered "strong cryptography." TLS 1.3 is recommended.
HIPAA	TLS 1.3	2025 HIPAA updates require TLS 1.3 for data in transit. Compliance deadline is December 31, 2025. Must follow NIST SP 800-52 guidelines.
SOC 2	TLS 1.2+	No prescriptive TLS version requirement, but auditors expect TLS 1.2 or higher as industry best practice. Focus is on demonstrating due care.
FedRAMP	TLS 1.2	Follows NIST SP 800-52 Rev 2 which requires TLS 1.2 minimum. Migration to TLS 1.3 was recommended by January 2024. Requires FIPS 140 validated cryptography.
ISO 27001	TLS 1.2+	Requires "state of the art" encryption per Annex A.10. Auditors interpret this as TLS 1.2 minimum with TLS 1.3 preferred.

For more information on meeting these compliance requirements for your Heroku application, see our Compliance Guide and OWASP Top 10 protection guide.

Heroku Options for HTTPS

Heroku SNI Endpoint (also called ACM or Lets Encrypt) - More Info
What to Use It For	Positives	Negatives
Marketing sites or other low security applications	Free for Hobby and up plans Easy set up from "Settings" pane of your Heroku app Heroku provides the SSL/TLS certificate	Not possible to meet regulatory or security requirements for TLS versions. Will not force HTTPS for all connections No Security or Traffic Controls
Heroku SSL Endpoint Add-On - More Info
What to Use It For	Positives	Negatives
Sites that need to use Wildcard certificates to cover many subdomains (*.example.com)	Easy set up with Expedited SSL provided certificates. Wildcard makes adding future subdomains easy	Won't meet TLS regulatory requirements by default No Security or Traffic Controls Will not force HTTPS for all connections
Heroku Expedited WAF Add-On - More Info
What to Use It For	Positives	Negatives
Sites that need to meet regulatory concerns, security audits or advanced security and traffic controls.	Easy to set up (one DNS record change) Security controls for blocking web and DDOS attacks, bad bots, geo-blocking, IP blocking and intrustion detection. Enforces TLS 1.2+ connections only Force HTTPS connections only.	Costs more than plain SSL.

Get Started

Install Expedited WAF Book a Security Review