SSL is enforced on .app and .dev domains


All requests to my .app and/or .dev domains on my app are being inexplicably redirected to using SSL without any such configuration in my app or DNS settings.


All domains with the .app and .dev TLD come with the HSTS (HTTP Strict Transport Security) protocol preloaded at the DNS layer. This technology allows enforcement of the HTTPS protocol for all requests made to this domain before it even hits the underlying app. This means that without a valid SSL certificate, it is not possible for visitors to even reach your app.

Since there is no way to remove this requirement for these domains, a valid SSL certificate must be in place on your app for it to be accessible via domains with either of these TLDs.

You can find a thorough explanation regarding this here. Furthermore, if you would like to confirm that your domain has HSTS preloaded, you can use this tool to do so.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support