Heroku App Names and Subdomains
Last updated August 11, 2024
Table of Contents
Every Heroku app has a unique app name and subdomain. This article explains how they’re generated and the relationship between them.
App Names
The app name is a unique identifier for your application. It can be a string of lowercase letters, numbers, and dashes, up to 30 characters. You can choose the name on app creation in the dashboard or by running heroku apps:create APPNAME.
For example, if you create an app with the name example-app, you can access its info in the Heroku CLI with heroku apps:info --app example-app.
If you create an app without choosing a name, the platform generates one for you.
The Heroku platform also uses this name as part of the app’s URL. The app name combined with a 12-character random identifier forms the subdomain for your app. For example, example-app-1234567890ab.herokuapp.com. The exceptions to this format are if you configured Review Apps to use a predictable URL.
You can rename apps at any time, which results in a new subdomain. See Renaming Apps from the CLI for more info.
Subdomains
By default, apps are accessible at their Heroku domains, which have the format of APPNAME-IDENTIFIER.herokuapp.com.
The subdomain portion consists of the app’s name and a 12-character identifier that’s randomly generated and appended as part of your subdomain on app creation. For example, example-app-1234567890ab.herokuapp.com. The exceptions to this format are if you configured Review Apps to use a predictable URL.
Renaming an app destroys the old subdomain and creates a new one. The addition of the identifier helps to mitigate the reuse of subdomains.
For info on adding custom domains, including adding a custom domain with a subdomain, see Custom Domain Names For Apps.
While your app is available at your subdomain, we strongly recommend adding custom domains for production apps.
Heroku started appending identifiers to subdomains on June 14, 2023. Applications created before this date maintain the old subdomain scheme where the subdomain was the same as the app name. Renaming these apps results in subdomains using the current scheme of APPNAME-IDENTIFIER.herokuapp.com.
Subdomain Reuse Mitigation
A subdomain takeover occurs when an attacker gains control of a target domain. Typically, takeovers happen when an application is deprecated, but its old URL remains active and can still receive traffic from legacy users. An attacker can create an app at that URL and intercept the traffic and provide their own content. This takeover can lead to phishing attacks, cookie theft, and bypassing OAuth allowlisting. The addition of a random identifier helps to prevent subdomain names from being taken over after apps are deleted or renamed.
Configuring Review Apps to use a predictable URL can expose those apps for a possible subdomain takeover.