Why would anyone use Heroku (security-related)?

StackOverflow https://stackoverflow.com/questions/1157563

  •  18-09-2019
  •  | 
  •  

Question

Heroku seems great, but most non-trivial applications require authentication, and conventional authentication schemes require an SSL connection, and it's impossible to get https://your_app_name.com (you can only get https://your_app_name.heroku.com).

So if you're using Heroku, is it that:

  1. You don't mind directing users to another domain (seems pretty bad)
  2. You don't mind foregoing SSL for authentication (seems really bad)
  3. Your app doesn't require authentication
Was it helpful?

Solution

This is now a moot point. According to the documentation (http://docs.heroku.com/ssl, see http://addons.heroku.com/ for pricing), Heroku now allows custom domains to have SSL through their SSL Endpoint addon.

https://devcenter.heroku.com/articles/ssl-endpoint

Heroku also just announced support for SNI. This will allow them to attach SSL to any domain hosted on Heroku's service. It is still in beta but should get pushed to every one soon. Heroku continues to improve their security offerings.

OTHER TIPS

Hey, it's James from Heroku. The inability to use SSL with a custom domain is a problem shared by all multi-tenant platforms, due to a fundamental issue with the SSL protocol. A solution is in the works, we'll post details as soon we've finalized the plan.

I'm using Twitter's OAuth for authentication on my apps (via twitter-auth).

Generic OpenID or even Facebook Connect would work just as well, as each of these handle the sensitive bits of authentication on somebody else's server.

Authlogic is an authentication gem that has has plugins for each of these methods.

However, SSL is now fully supported on Heroku, if you're willing to pay a price that reflects the difficulty in getting SSL to work in a multi-tenant environment.

You can use a custom domain name in Heroku. This is not included in the free account though. Also Heroku makes it dead simple to deploy Ruby on Rails apps. Deploying a Ruby on Rails application on a cheap hosting provider that only gives you limited if any shell access can be a nightmare. Not mention Heroku's server already preconfigured to optimize Ruby on Rails code, likewise scaling up is just a matter of sliding a scale on the user interface.

With Heroku you can use custom domain names (in the free version too). Scaling is easy, very easy, and they are making it better and better (i'm testing memcached and work like a charm, delayed job, the backup system and the git integration are great too). The only problem for me, as you wrote is the SSL...

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top