How To Force HTTPS (SSL/TLS) on Heroku

Why Force HTTPS

There’s two reasons to make sure HTTPS is working across your site.

1. Security

Whatever arguments someone might muster that HTTPS isn’t needed on every site don’t really matter as Chrome, Firefox, Edge and Safari have all taken steps towards the future being:

  1. Plain http connections being marked as insecure.
  2. Encrypted https connections being marked as secure.

Examples include things like:

  • Location bar notices of insecure connections (red checks and warnings)
  • HTTPS encryption as a prerequisite for advanced HTML features in the browser.

2. Site Canonicalization

It doesn’t seem like it at first glance, but from a technical standpoint the two following URLs could in fact be serving up entirely different websites.

http://example.com

https://example.com

HTTP connects on port 80 and HTTPS connects on port 443. As this is the case Google treats the HTTP and HTTPS versions of sites as separate and failing to present a single canonical URL for the site can hurt in terms of search rankings and general confusion.

Prerequisites

What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Force All Traffic to HTTPS on Heroku App

On the Stop Attacks page of your Expedited WAF dashboard:

Notes

  • After you’ve successfully converted your entire site to HTTPS (SSL/TLS) we can enable an additional HTTP Security header HSTS which will prevent man in the middle attacks.

Resources

Learn more about DDos Attacks

Need this for your Heroku App?

Find out how Expedited WAF can immediately improve your security posture, reliability and site speed. Book a time to get started or jump in on the Heroku Elements Marketplace.