SSL is a crucial part of any web app with a login session. As Firesheep demonstrated, HTTPS everywhere is the path forward for modern web apps. Heroku follows this with our own login-protected apps, from the management interface to the Dev Center.
Announcing Better SSL For Your App
Today, we're announcing two new features to make it as easy as possible for you to secure your app running on Heroku with SSL.
First, all apps now have piggyback SSL by default. Prepend https to the hostname for any Heroku app (https://yourapp.herokuapp.com for Cedar and https://yourapp.heroku.com for Aspen/Bamboo) and you'll piggyback on the *.herokuapp.com SSL certificate. No special configuration is needed, just access the app with https and you're secure by default.
Then, for apps running on custom domains, we have a new SSL product that unifies and simplifies our SSL add-on lineup: SSL Endpoint.
SSL Endpoint is priced identically to SSL Hostname ($20/mo) but offers these additional benefits:
- Instant provisioning
- Client IP address is forwarded to application as
X-Forwarded-For - Better validation of certificate files
- Rollback of certificate changes
Try It Out
SSL Endpoint is easy to use: add the add-on to your app, then upload your certificate and private key.
$ heroku addons:add ssl:endpoint
-----> Adding SSL endpoint to myapp... done, v20 ($20/mo)
$ heroku certs:add final.crt site.key
-----> Adding certificate to myapp... done.
myapp now served by tokyo-2121.herokussl.com.
You'll get a unique endpoint hostname, such as tokyo-2121.herokussl.com. Create a CNAME record to this hostname for your domain, and you're done.
In setting up SSL for your custom domain you'll still need to purchase an SSL certificate from a provider elsewhere, and configure your DNS. The Dev Center now provides guidance on each of these steps:
- Purchasing an SSL certificate
- Creating a self-signed certificate for testing purposes
- Configuring DNS
- Full docs for SSL Endpoint
SSL Endpoint, like SSL Hostname, will not support naked domains. More detail on issues presented with naked domains can be found here.
Conclusion
With security and privacy as top concerns in this era of digital communication, Heroku wants to make it as easy as possible for your app to be secure and trusted for your users. The internet is increasingly embracing HTTPS everywhere, and HTTPS on Heroku has never been easier.