How do I disable support for TLS 1.0 or 1.1 on a Heroku App?


How do I disable TLS 1.0 and/or 1.1 (leaving only TLS 1.2 or both TLS 1.1 and 1.2) for apps running on Heroku?


Heroku offers several different ways to terminate TLS/SSL. Whether you can disable TLS 1.0 and/or 1.1 depends on which TLS termination method is configured for your app.

Common Runtime

Automated Certificate Management / Free Heroku SSL (SNI)

Unfortunately, we cannot change the available protocols for applications using Automated Certificate Management or the free Heroku SSL (SNI). You will have to switch to the SSL Endpoint add-on or move to Private Spaces.

SSL Endpoint Add-on

We can disable any protocols you want on a per customer/app basis but this does impact the browsers and clients that can connect to your application. Some older browsers would no longer be able to connect to your app, so we'd ask you to perform your own investigation into whether this would impact your site's visitors before making this request.

If you'd like to proceed, you can open a ticket to request disabling TLS 1.0 for your app that's using the SSL Endpoint Add-on. Before opening a ticket please ensure you have the SSL endpoint add-on provisioned on your app and an SSL certificate uploaded to it.

Private Spaces

The default suite supports TLSv1.1 and TLSv1.2 (but not TLSv1.0). It provides good security and is compatible with a large range of browsers and clients.

For more details and instructions on changing the cipher suites view the Private Spaces documentation.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support
Terms of Service Privacy Cookies © 2021