Posts by Tom Maher

OAuth as Single Sign On

Today, we're announcing the release of a key part of our authentication infrastructure - - under the MIT license. This is the service that accepts passwords on login and manages all things OAuth for our API. The repo is now world-readable at . Pull requests welcome.

While OAuth was originally designed to allow service providers to delegate some access on behalf of a customer to a third party, and we do use it that way too, Heroku also uses OAuth for SSO. We'd like to take this opportunity to provide a technical overview.

A quick bit of terminology

We use the term "properties" to refer to public-facing sites owned and...

Continue reading »

Extended Validation SSL Certificates on Heroku

Heroku is now using Extended Validation SSL Certificates for most of our Heroku-owned applications. This allows you to tell at a glance if an URL belongs to Heroku itself, or is merely hosted on us.

Fancy Pants cert in action

Applications in our legacy “Bamboo” stack are hosted under the DNS domain, which has historically made it difficult for people to differentiate between Heroku-owned apps (e.g.,, and customer applications. We believe the extra UI indication will prove useful in solving this problem.

For more information, see "EV SSL Certificates and Heroku-owned Applications" on Heroku DevCenter.

-Tom Maher
Heroku Security Team

Continue reading »

The Heroku Security Researcher Hall of Fame

Starting today, Heroku would like to publicly thank all the independent security researchers who have practiced responsible disclosure and helped us remediate issues.

The Heroku Security Researcher Hall of Fame lists these researchers, along with the date of their initial report. If you've found a new security issue on our platform, we'd love to hear from you.

Our intent is for this list to be comprehensive, going back to our beginning. If you’ve reported a vulnerability to us in the past, and you’re either not listed or you’d like your listing changed (e.g., typos, change a link) or removed entirely, just let us know.

Ground Rules:

  • Customer applications are ineligible for...

Continue reading »

Browse the blog archives, subscribe to the full-text feed, or visit the engineering blog.