Skip to content

Instantly share code, notes, and snippets.

@apinstein

apinstein/heroku_ssl_only.md

Last active December 16, 2020 10:20
Show Gist options
  • Save apinstein/4998627 to your computer and use it in GitHub Desktop.
Save apinstein/4998627 to your computer and use it in GitHub Desktop.
Download ZIP
Enforce SSL-only (ie disable non-ssl) on Heroku via apache.
Raw
heroku_ssl_only.md

The safest way to prevent any non-SSL traffic is to not have your web server listen on http/port 80. This way, people cannot even accidentally transmit sensitive data in an insecure fashion.

Unfortunately Heroku doesn't seem to have a switch to DISABLE non-SSL traffic, but at least we can make the non-SSL traffic die an early death and hopefully minimize the amount of non-SSL traffic ever sent.

With apache, this can be done quickly like so:

    # you might need this
    RewriteEngine On
    
    ErrorDocument 426 "SSL ONLY PLEASE"
    RewriteCond %{HTTP:x-forwarded-proto} !='https'
    RewriteRule .* - [R=426,L]
@KonstantinCodes
Copy link

KonstantinCodes commented Nov 16, 2016
edited

Thanks 👍 Worked for me.
You could also redirect to SSL: https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

This led me to:

RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

Copy link

ghost commented Sep 20, 2017

Nice work. Sad heroku doesn't have a UI to do this. Seems like a pretty basic feature to be able to manage the ports that get forwarded to your instances.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment