Adding SSL to Heroku with Cloudflare
TLDR; Adding SSL to your Heroku app is easier and less expensive if you use CloudFlare.
Heroku & SSL
All Heroku apps already support SSL by piggybacking on Heroku’s SSL certificate (https://your-app-name.herokuapp.com). Unfortunately, if you need SSL on a custom domain, you’ll have to buy Heroku’s SSL endpoint add-on ($20/month) and your own certificate.
Instead of using Heroku’s SSL endpoint, we can alternatively use CloudFlare. CloudFlare is a CDN (content delivery network). They cache and serve your static assets, making your site faster and reducing load on your servers. With the Pro account ($20), they will also handle SSL termination for you.
Cloudflare Pro is $20 a month. The same cost as the Heroku add-on, but it’s easier to setup and you also get all of their CDN/security features (you should be using a CDN anyway).
How to do it?
Head over to cloudflare.com & sign up. They guide you step by step.
In your DNS settings, you’ll want to create a CNAME: yourdomain.com -> yourapp.herokuapp.com.
Finally, in your CloudFlare settings. Enable “Full SSL” for the domain.
The next thing to do is force all http requests in your application to go redirect to https.
In Rails, this can be done by adding the following line to config/environments/production.rb.
config.force_ssl = true
Alternatively, for other Rack apps, you can use the rack-ssl-enforcer gem.