apinstein/heroku_ssl_only.md

Last active December 16, 2020 10:20

Star (1) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/apinstein/4998627.js"></script>
Save apinstein/4998627 to your computer and use it in GitHub Desktop.

Enforce SSL-only (ie disable non-ssl) on Heroku via apache.

Raw

The safest way to prevent any non-SSL traffic is to not have your web server listen on http/port 80. This way, people cannot even accidentally transmit sensitive data in an insecure fashion.

Unfortunately Heroku doesn't seem to have a switch to DISABLE non-SSL traffic, but at least we can make the non-SSL traffic die an early death and hopefully minimize the amount of non-SSL traffic ever sent.

With apache, this can be done quickly like so:

    # you might need this
    RewriteEngine On
    
    ErrorDocument 426 "SSL ONLY PLEASE"
    RewriteCond %{HTTP:x-forwarded-proto} !='https'
    RewriteRule .* - [R=426,L]

ghost commented Sep 20, 2017

Nice work. Sad heroku doesn't have a UI to do this. Seems like a pretty basic feature to be able to manage the ports that get forwarded to your instances.

apinstein/heroku_ssl_only.md

Select an option

No results found

Select an option

No results found

ghost commented Sep 20, 2017

Uh oh!