Two-factor Auth in Public Beta

Today, we’re excited to announce public beta of two-factor authentication for Heroku accounts. With two-factor auth enabled, an authentication code is required whenever you log in. The code is delivered using an app on your smartphone, and access to your phone becomes a required factor (in addition to your password) to access Heroku. An attacker that has somehow discovered your password will not be able to log in using just your password.

Enabling two-factor auth

The easiest way to enable two-factor auth is using Dashboard. Go to your account page, click the “Enable two-factor authentication” button and follow the on-screen instructions.

Enable two-factor auth button

Download an authenticator app for your...

Read more →

Introducing the new PHP on Heroku

PHP developers are makers at heart. The core strength of PHP has always been in creating a tight feedback cycle between developers and their audiences. That strength is the reason why PHP powers so many of the world’s biggest and best web properties such as Facebook and Etsy. But as developers of those and similar apps know, PHP hasn’t always enjoyed some of the runtime, management or infrastructure elements its peer communities like Ruby on Rails, Python with Django, and Node have had for some time.

As one of the web’s largest PHP shops, Facebook has been an advocate and innovator for the language, but it’s been hard for PHP developers beyond Facebook’s walls to take advantage of that...

Read more →

PHP – a look back, a look forward

The history of PHP is the history of the web. Long-time developers will remember how PHP changed the universe of web development. PHP brought two key innovations to the table when it first launched. First, it was interpreted, which meant you could edit a file in place, then refresh the page and see the result. This quick feedback loop was why so many started with PHP and is still a cornerstone of what makes the language so useful. Second, it was the first widespread templating language which enabled intermixing of HTML and PHP code. Every other major web language and framework since PHP has followed suit.

Over time, PHP became a cornerstone of the “LAMP stack”. The LAMP stack consisted of...

Read more →

Beyond Heartbleed: Improved Security for Encrypted Connections

The announcement earlier this month of the “Heartbleed” bug (CVE-2014-0160) in OpenSSL once again focused attention on the technology used to secure communications on the Internet. Heartbleed was a very serious vulnerability and we moved as quickly as possible to patch systems and eliminate this threat on behalf of our customers.

But security is not just about fire drills, there are many steps that can be taken over time to continually improve security. Over the last months we have rolled out several security improvements to Heroku SSL Endpoints, including:

These enhancements have already been rolled out and are in effect for...

Read more →

Heroku Security Bug Bounty

Working with security researchers to ensure the trustworthiness of Heroku’s platform is an ongoing effort of ours. As part of this effort, the Heroku security team, in conjunction with Bugcrowd, is pleased to announce our new security bug bounty program. For each security bug you help find, which helps to ensure our platform is safe and secure, we'll reward you. Our initial rewards will be between $100 and $1500, varying based on the severity of the vulnerability.

Detailed rules and information about the scope of this bounty program are available on our page at Bugcrowd. As was previously the case, customer applications are strictly out of scope for the bounty – but we’ll pass...

Read more →

Browse the blog archives, subscribe to the full-text feed, or visit the engineering blog.