Asynchronous provisioning allows add-ons to perform out-of-band provisioning in a first-class way. It’s intended for add-on services that need extended time to set up and help make automated app setup and orchestration easier and less error-prone.

The customer will be billed as soon as the add-on starts provisioning. This means the time and cost of provisioning your service is accounted for in how much a customer pays. As such, you should make every effort to provision expediently so customers get value from your service as quickly as possible.

Add-ons that take longer than 12 hours to provision (or those your service fails to mark as “provisioned” via the API in that time period) will be...


Today we're excited to announce that we've open sourced oclif, a framework for building command line interfaces.

We built oclif to serve as the common foundation for both the Heroku and Salesforce CLIs and to abstract away the common struggles. The framework is now available to any developer for building CLIs large or small. oclif makes building CLIs more accessible by providing you with the patterns and tools to scaffold a working command line interface. It provides a structure for simple to advanced CLIs, including documentation, testing, and plugins for adding new commands.

Screen Shot 2018-03-19 at 11

With oclif you can get up and running with your command line interface quickly, and focus on the...


Editor’s Note: One of the joys of building Heroku is hearing about the exciting applications our customers are crafting. SHIFT Commerce - a platform helping retailers optimize their e-commerce strategy - is a proud and active user of Heroku in building its technology stack. Today, we’re clearing the stage for Ryan Townsend, CTO of SHIFT, as he provides an overview of SHIFT’s journey into building microservices architecture with the support of Apache Kafka on Heroku.


Software architecture has been a continual debate since software first came into existence. The latest iteration of this long-running discussion is between monoliths and microservices – large self-contained applications vs...


Containers, specifically Docker, are all the rage. Most DevOps setups feature Docker somewhere in the CI pipeline. This likely means that any build environment you look at, will be using a container solution such as Docker. These build environments need to take untrusted user-supplied code and execute it. It makes sense to try and securely containerize this to minimize risk.

In this post, we’re going to explore how a small misconfiguration in a build environment can create a severe security risk.

It's important to note that this post does not describe any inherent vulnerability in Heroku, Docker, AWS CodeBuild, or containers in general, but discusses a misconfiguration issue that was...


Observatory by Mozilla helps websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely.

Let's take a look at the scores Observatory gives for a fairly straightforward Static Buildpack app, https://2017.keeprubyweird.com.

Test Scores

Test Pass Score Explanation
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Cookies 0 No cookies detected
Cross-origin Resource Sharing 0 Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning 0 HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport...

Browse the blog archives or subscribe to the full-text feed.