How do I disable TLS 1.0 and/or 1.1 (leaving only TLS 1.2 or both TLS 1.1 and 1.2) for apps running on Heroku?
Heroku offers several different ways to terminate TLS/SSL. Whether you can disable TLS 1.0 and/or 1.1 depends on which TLS termination method is configured for your app.
Automated Certificate Management / Free Heroku SSL (SNI)
Unfortunately, we cannot change the available protocols for applications using Automated Certificate Management or the free Heroku SSL (SNI). You will have to switch to the SSL Endpoint add-on or move to Private Spaces.
SSL Endpoint Add-on
We can disable any protocols you want on a per customer/app basis but this does impact the browsers and clients that can connect to your application. Some older browsers would no longer be able to connect to your app, so we'd ask you to perform your own investigation into whether this would impact your site's visitors before making this request.
If you'd like to proceed, you can open a ticket to request disabling TLS 1.0 for your app that's using the SSL Endpoint Add-on. Before opening a ticket please ensure you have the SSL endpoint add-on provisioned on your app and an SSL certificate uploaded to it.
The default suite supports TLSv1.1 and TLSv1.2 (but not TLSv1.0). It provides good security and is compatible with a large range of browsers and clients.
For more details and instructions on changing the cipher suites view the Private Spaces documentation.