How do I disable TLS 1.0 (leaving only TLS 1.1 and 1.2) for apps running on Heroku?
Heroku offers several different ways to terminate TLS/SSL. Whether you can disable TLS 1.0 and it depends on what TLS termination is configured for your app.
Automated Certificate Management / Free Heroku SSL (SNI)
Unfortunately, we cannot change the available protocols for applications using Automated Certificate Management or the free Heroku SSL (SNI). You will have to switch to the SSL Endpoint addon or move to Private Spaces.
SSL Endpoint Addon
We can disable any protocols you want on a per customer/app basis but this does impact the browsers and clients that can connect to your application. Some older browsers would no longer be able to connect to your app, so we'd ask you to perform your own investigation into whether this would impact your site's visitors before making this request.
If you'd like to proceed, you can open a ticket to request disabling TLS 1.0 for your app that's using the SSL Endpoint Addon. Before opening a ticket please ensure you have the SSL endpoint add-on provisioned on your app and an SSL certificate uploaded to it.
By default, the routing infrastructure for Private Spaces apps supports cipher suites listed in the Dev Center article Routing in Private Spaces on TLS 1.0, TLS 1.1, and TLS 1.2. Among these TLS 1.0 and TLS_RSA_WITH_3DES_EDE_CBC_SHA on TLS 1.1 and TLS 1.2 can be disabled. Note that disabling those cipher suites may cause your app to fail for some older browsers and operating systems. If you'd like to proceed, please run the following command:
heroku labs:enable spaces-strict-tls --app <app-name>