How To Force HTTPS (SSL/TLS) on Heroku

Enabling HTTPS on Heroku

Before you can force HTTPS connections for clients connecting to your Heroku app you need to implement one of the many different methods of implementing HTTPS/TLS/SSL which is part of a larger decision about the security requirements of your application.

We have a separate guide to help you choose what Heroku SSL/TLS option to use, which dovetails with this article.

Why Force HTTPS

There’s two reasons to make sure HTTPS is working across your site.

1. Security

Whatever arguments someone might muster that HTTPS isn’t needed on every site don’t really matter as Chrome, Firefox, Edge and Safari have all taken steps towards the future being:

  1. Plain http connections being marked as insecure.
  2. Encrypted https connections being marked as secure.

Examples include things like:

  • Location bar notices of insecure connections (red checks and warnings)
  • HTTPS encryption as a prerequisite for advanced HTML features in the browser.

2. Site Canonicalization

It doesn’t seem like it at first glance, but from a technical standpoint the two following URLs could in fact be serving up entirely different websites.

http://example.com

https://example.com

HTTP connects on port 80 and HTTPS connects on port 443. As this is the case Google treats the HTTP and HTTPS versions of sites as separate and failing to present a single canonical URL for the site can hurt in terms of search rankings and general confusion.

Prerequisites

What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Force All Traffic to HTTPS on Heroku App

On the Stop Attacks page of your Expedited WAF dashboard:

Notes

  • After you’ve successfully converted your entire site to HTTPS (SSL/TLS) we can enable an additional HTTP Security header HSTS which will prevent man in the middle attacks.

Resources

Learn more about HTTPS/TLS/SSL Attacks