How To Force HTTPS (SSL/TLS) on Heroku
Enabling HTTPS on Heroku
Before you can force HTTPS connections for clients connecting to your Heroku app you need to implement one of the many different methods of implementing HTTPS/TLS/SSL which is part of a larger decision about the security requirements of your application.
We have a separate guide to help you choose what Heroku SSL/TLS option to use, which dovetails with this article.
Why Force HTTPS
There’s two reasons to make sure HTTPS is working across your site.
1. Security
Whatever arguments someone might muster that HTTPS isn’t needed on every site don’t really matter as Chrome, Firefox, Edge and Safari have all taken steps towards the future being:
- Plain
http
connections being marked as insecure. - Encrypted
https
connections being marked as secure.
Examples include things like:
- Location bar notices of insecure connections (red checks and warnings)
- HTTPS encryption as a prerequisite for advanced HTML features in the browser.
2. Site Canonicalization
It doesn’t seem like it at first glance, but from a technical standpoint the two following URLs could in fact be serving up entirely different websites.
http://example.com
https://example.com
HTTP connects on port 80 and HTTPS connects on port 443. As this is the case Google treats the HTTP and HTTPS versions of sites as separate and failing to present a single canonical URL for the site can hurt in terms of search rankings and general confusion.
Prerequisites
What you need to get started:
- Expedited WAF add-on is setup in front of your application.
How To Force All Traffic to HTTPS on Heroku App
On the Stop Attacks page of your Expedited WAF dashboard:
Notes
- After you’ve successfully converted your entire site to HTTPS (SSL/TLS) we can enable an additional HTTP Security header
HSTS
which will prevent man in the middle attacks.
Resources
Learn more about HTTPS/TLS/SSL Attacks