The safest way to prevent any non-SSL traffic is to not have your web server listen on http/port 80. This way, people cannot even accidentally transmit sensitive data in an insecure fashion.
Unfortunately Heroku doesn't seem to have a switch to DISABLE non-SSL traffic, but at least we can make the non-SSL traffic die an early death and hopefully minimize the amount of non-SSL traffic ever sent.
With apache, this can be done quickly like so:
# you might need this
RewriteEngine On