How To Force HTTPS (SSL/TLS) on Heroku

Why Force HTTPS

There’s two reasons to make sure HTTPS is working across your site.

1. Security

Whatever arguments someone might muster that HTTPS isn’t needed on every site don’t really matter as Chrome, Firefox, Edge and Safari have all taken steps towards the future being:

  1. Plain http connections being marked as insecure.
  2. Encrypted https connections being marked as secure.

Examples include things like:

  • Location bar notices of insecure connections (red checks and warnings)
  • HTTPS encryption as a prerequisite for advanced HTML features in the browser.

2. Site Canonicalization

It doesn’t seem like it at first glance, but from a technical standpoint the two following URLs could in fact be serving up entirely different websites.

HTTP connects on port 80 and HTTPS connects on port 443. As this is the case Google treats the HTTP and HTTPS versions of sites as separate and failing to present a single canonical URL for the site can hurt in terms of search rankings and general confusion.


What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Force All Traffic to HTTPS on Heroku App

On the Stop Attacks page of your Expedited WAF dashboard:


  • After you’ve successfully converted your entire site to HTTPS (SSL/TLS) we can enable an additional HTTP Security header HSTS which will prevent man in the middle attacks.


Learn more about DDos Attacks

Try Expedited WAF.
Get a Free Tee.

Option 1: Install Expedited WAF (the Web Application Firewall service that shields your Heroku applications from attacks) from the Heroku Elements Marketplace..

Seven days later we'll ask for some feedback and your (US or Canada only) shipping details.

Option 2: Select a Date & Time below to talk to us about your existing web application security framework and see how Expedited WAF can help better secure your Heroku applications.