Heroku Security Resources How to Choose What SSL/TLS/HTTPS option to use on Heroku

Why are there options?

Different Heroku applications are used for different purposes and it’s important to choose a method of securing data in transit to your application that matches the sensitivity and privacy needs of your application.

Help Me Choose

You can read all of the different options below, but if you’re in a hurry, check your requirements below and we’ll suggest the best option that meets those.

Data Security Regulations Your app needs to conform to data security regulations like PCI, HIPAA, GDPR, CCPA or other US state regulations. Wildcard Subdomains Your app uses many different dynamic subdomains. Example: one.example.com, two.example.com Security Audits An external group is going to conduct a security audit or penetration test against your Heroku application. Security Controls You need security controls in place to counter things like abusive IP addresses, DDOS attacks, or to automatically filter out known bad hosts and attacks against your Heroku application.

We suggest you use the built in Heroku ACM You didn't choose any of the extra requirements above so you should most likely be good with Heroku's built in SNI/ACM/Lets Encrypt option. You didn't choose any of the extra requirements above so you should most likely be good with Heroku's built in SNI/ACM/Lets Encrypt option. Heroku SNI is a great free option for simple websites with low security requirements. Heroku SNI is a great free option for simple websites with low security requirements.

We suggest you use the Heroku SSL Add-On The Heroku SSL add-on let you install custom certifiates into a managed SSL terminating instance separate from your Heroku application. The Heroku SSL add-on let you install custom certifiates into a managed SSL terminating instance separate from your Heroku application. wildcard sub-domain support is no problem as a custom wildcard SSL/TLS certificate will be installed into the SSL Endpoint as part of the Expedited SSL Setup of Wildcard certificates. Your need foris no problem as a custom wildcard SSL/TLS certificate will be installed into the SSL Endpoint as part of the Expedited SSL Setup of Wildcard certificates. Your need to secure multiple unique domains can be accomodated by using Fly.io together with the SSL Endpoint. As this is a complicated architectural change we would recommend you set up a time to talk with a support engineer before implementing anything.

We suggest you use the Expedited WAF Add-On Expedited WAF provides security controls necessary to pass security audits and meet data regulations. It will also enforce secure TLS 1.2+ connections and reject unencrypted HTTP traffic. Expedited WAF provides security controls necessary to pass security audits and meet data regulations. It will also enforce secure TLS 1.2+ connections and reject unencrypted HTTP traffic. wildcard sub-domain support is no problem as a custom wildcard SSL/TLS certificate will be installed onto the WAF for you as part of the setup. Your need foris no problem as a custom wildcard SSL/TLS certificate will be installed onto the WAF for you as part of the setup. Your need to secure multiple unique domains can be accomodated by using Fly.io together with Expedited WAF. As this is a complicated architectural change we would recommend you set up a time to talk with a support engineer before implementing anything.

What’s the Difference Between SSL/TLS/HTTPS

SSL stands for Secure Sockets Layer and was the orginal term used to describe the system of encrypting traffic between websites and clients (like browsers).

TLS stands for Transport Layer Security and more accurately describes the encryption process at work, but outwardly performs the same task as “SSL”.

HTTPS stands for HyperText Transport Protocol Secure and is the protocol enabled by SSL/TLS certificates and infrastrcture. It’s best thought of as how applications use SSL/TLS certificates.

What you need to know about TLS versions

In the same way that different browsers and browser versions support different sets of features like Flexbox, Flash, or CSS Grid. Web servers and clients support different versions of the TLS protocol with varying levels of compatabiilty and security.

In order from oldest and least secure to newest and most secure:

SSL Should not be used under any circumstances. TLS 1.0 Should not be used. TLS 1.1 Minimum to support for applications that need compatibility with older devices like early Android phones. TLS 1.2 Minimum safe level for applications that prioritize security. TLS 1.3 Newest and most secure TLS version

Heroku Options for HTTPS