Why Force HTTPS
There’s two reasons to make sure HTTPS is working across your site.
Whatever arguments someone might muster that HTTPS isn’t needed on every site don’t really matter as Chrome, Firefox, Edge and Safari have all taken steps towards the future being:
httpconnections being marked as insecure.
httpsconnections being marked as secure.
Examples include things like:
- Location bar notices of insecure connections (red checks and warnings)
- HTTPS encryption as a prerequisite for advanced HTML features in the browser.
2. Site Canonicalization
It doesn’t seem like it at first glance, but from a technical standpoint the two following URLs could in fact be serving up entirely different websites.
HTTP connects on port 80 and HTTPS connects on port 443. As this is the case Google treats the HTTP and HTTPS versions of sites as separate and failing to present a single canonical URL for the site can hurt in terms of search rankings and general confusion.
What you need to get started:
- Expedited WAF add-on is setup in front of your application.
How To Force All Traffic to HTTPS on Heroku App
On the Stop Attacks page of your Expedited WAF dashboard:
- After you’ve successfully converted your entire site to HTTPS (SSL/TLS) we can enable an additional HTTP Security header
HSTSwhich will prevent man in the middle attacks.
Learn more about DDos Attacks
If you need help with improving your application's security, you can Book a Demo (free) to talk to a security engineer about your application security and compliance requirements. If you're ready to go, you can add the Expedited WAF add-on to your Heroku application in about 15 minutes.