I have my Heroku app tested for SSL/TLS security. The result shows that the app supports weak cipher suites.
Heroku try our best to provide a reasonable balance between compatibility and security on the platform. The weak cipher suites are for older versions of a browser that is still supported by the browser vendor.
A Heroku app supports different sets of cipher suites at different endpoints. The Dev Center article HTTP Routing lists supported cipher suites at the default domain and the custom domains for a Common Runtime app. For a Private Space app, supported cipher suites can be chosen from predefined lists.
If necessary, it is possible to provision a proxy add-on like Fastly, Edge, and Expedited CDN which may be able to provide a different set of cipher suites. While not in the Heroku ecosystem, some customers use Cloudflare.