Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Disabling SSL for a Heroku App

Tags:

ssl

ruby-on-rails-3

heroku

I recently changed the domain for a Rails app I have running on Heroku. I redirected the original to the new one, and for the last couple of months have been running SSL on both. I tried to remove SSL from the original domain since all it does is redirect.

I did everything I thought I should:

  • Turned off SSL in the app with config.force_ssl = false in production.rb
  • Changed DNS ALIAS and CNAME to point to "myapp.herokuapp.com"
  • Removed the SSL endpoint and certs

If I go to myapp.herokuapp.com, everything is fine, but if I go to myapp.com, or www.myapp.com it automatically tries to take me to the secure version of the site, https://myapp.com, and I get the standard security error warning from my browser.

Am I missing something? Is it a caching issue? Does it just take time for the DNS change to kick in? I've tried on a few machines/browsers, and the issue is consistent across all of them.

Worst case, I can definitely add the SSL Endpoint back on, but it seems like overkill.

like image 772
Lev Avatar asked Jul 21 '13 20:07

Lev

People also ask

Do I need SSL for Heroku?

It is worth saying that you need to purchase the SSL Endpoint for your application at Heroku, which costs $20/month. Also, you can have a free certificate installed using the Heroku SSL option. For this to be done, please use the following command: heroku certs:add example.

Does Heroku use http or HTTPS?

HTTP versions supported Four main versions of HTTP are used in the wild: HTTP/0.9, HTTP/1.0, HTTP/1.1 and HTTP/2. The Heroku router only supports HTTP/1.0 and HTTP/1.1 clients.

How do I get SSL free Heroku?

Configuring SSL In Heroku, go back to the Settings tab of your application and scroll down to Domain and certificates. You should now see a white button Configure SSL. Click on it. Leave the Automatically option ticked and click on Continue.

How many TLS termination certificate can an app on Heroku now access?

Previously, an app on Heroku could only have one TLS termination certificate.

1 Answers

config.force_ssl = true enables Strict Transport Security header(HSTS) with max-age of one year. See this issue. Such header forces browsers that support it to contact the server over HTTPS for one year. This is to prevent attacks in which man in a middle downgrades HTTPS connection to HTTP.

Moving out of HTTPS for production sites that were served with HSTS is not very easy. You should keep your site served over HTTPS and return HSTS header with max-age=0 to reset the one year setting. The problem is to decide for how long you need to keep HTTPS. To be absolutely sure that all clients are switched, you should do it for one year. You may decide to do it for a shorter period, but at the risk of breaking the site for clients that are visiting infrequently.

like image 100
Jan Wrobel Avatar answered Sep 16 '22 14:09

Jan Wrobel
Sign in to Comment

Related questions

strftime formatting with Ruby/Rails -- Lowercase am/pm
Scope with joins to get data in Rails 3
ActiveRecord::UnknownAttributeError?
Rails paperclip and upside down oriented images
Apartment ruby gem : Want to Catch an exception
Why are RackMultipart* files persisting in my Rails /tmp directory?
How to set in a middleware a variable accessible in all my application?
How to detect the language of a given text
Switch asset host for controller
How can execute multiple statements in one query with Rails?
Rails flash messages with HAML
How to request (GET/POST) routes in RSpec that have a wildcard
Rails Production server: stylesheets not displaying!
Factory Girl sequences not incrementing
Create a new action for existing controller
Rails 3: What is the default order of "MyModel.all"?
Exclude certain assets from pipeline in development environment?
HAML - if / elsif construction
Prevent session creation on rails 3.2.2 for RESTful api
Form input type="date" in Ruby on Rails

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!