Disabling SSL for a Heroku App

Question

I recently changed the domain for a Rails app I have running on Heroku. I redirected the original to the new one, and for the last couple of months have been running SSL on both. I tried to remove SSL from the original domain since all it does is redirect.

I did everything I thought I should:

• Turned off SSL in the app with config.force_ssl = false in production.rb
• Changed DNS ALIAS and CNAME to point to "myapp.herokuapp.com"
• Removed the SSL endpoint and certs

If I go to myapp.herokuapp.com, everything is fine, but if I go to myapp.com, or www.myapp.com it automatically tries to take me to the secure version of the site, https://myapp.com, and I get the standard security error warning from my browser.

Am I missing something? Is it a caching issue? Does it just take time for the DNS change to kick in? I've tried on a few machines/browsers, and the issue is consistent across all of them.

Worst case, I can definitely add the SSL Endpoint back on, but it seems like overkill.

Answer 1

config.force_ssl = true enables Strict Transport Security header(HSTS) with max-age of one year. See this issue. Such header forces browsers that support it to contact the server over HTTPS for one year. This is to prevent attacks in which man in a middle downgrades HTTPS connection to HTTP.

Moving out of HTTPS for production sites that were served with HSTS is not very easy. You should keep your site served over HTTPS and return HSTS header with max-age=0 to reset the one year setting. The problem is to decide for how long you need to keep HTTPS. To be absolutely sure that all clients are switched, you should do it for one year. You may decide to do it for a shorter period, but at the risk of breaking the site for clients that are visiting infrequently.