Why does my Heroku app support weak cipher suites for SSL/TLS?


I have my Heroku app tested for SSL/TLS security. The result shows that the app supports weak cipher suites.


Heroku try our best to provide a reasonable balance between compatibility and security on the platform. The weak cipher suites are for older versions of a browser that is still supported by the browser vendor.

A Heroku app supports different sets of cipher suites at different endpoints. The Dev Center article HTTP Routing lists supported cipher suites at the default domain and the custom domains for a Common Runtime app. For a Private Space app, supported cipher suites can be chosen from predefined lists.

If necessary, it is possible to provision a proxy add-on like Fastly, Edge, and Expedited CDN which may be able to provide a different set of cipher suites. While not in the Heroku ecosystem, some customers use Cloudflare.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support