Can Heroku force an application to use SSL/TLS?

Issue

You have configured an SSL certificate and now you want your application to use https for all requests.

Resolution

Redirects need to be performed at the application level as the Heroku router does not provide this functionality. You should code the redirect logic into your application.

Under the hood, Heroku router (over)writes the X-Forwarded-Proto and the X-Forwarded-Port request headers. The app must check X-Forwarded-Proto and respond with a redirect response when it is not https but http.

Rails:

Use config.force_ssl = true in your config/environments/production.rb or similar.

Node (Express.js):

Use a package to set this up for your app. Some options can be found here: https://www.npmjs.com/search?q=express+ssl

PHP:

You can add directives to the .htaccess file at the root of your project to do this. See this SO post for an example https://stackoverflow.com/a/34065445

Django:

Add the following to your Settings file, adding the middleware to your existing MIDDLEWARE list if one exists.

MIDDLEWARE = [
    # SecurityMiddleware must be listed before other middleware
    'django.middleware.security.SecurityMiddleware',
    # ...
]

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_SSL_REDIRECT = True

Flask:

The Flask Security Guide encourages the use of flask-talisman to enforce SSL. Example setup and usage.

Note: The previously recommended solution (flask-sslify) is no longer maintained.

Java:

Spring Boot example

Java web app example

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support
heroku.com Blogs Careers Documentation
Terms of Service Privacy Cookies Cookie Preferences © 2024 Salesforce.com Your Privacy Choices