Heroku App Names, Subdomains, and URLs

Last updated March 12, 2025

Table of Contents

Every Heroku app has a unique app name and subdomain. This article explains how they’re generated and the relationship between them.

App Names

The app name is a unique identifier for your application. It can be a string of lowercase letters, numbers, and dashes, up to 30 characters. You can choose the name on app creation in the dashboard or by running heroku apps:create APPNAME.

For example, if you create an app with the name example-app, you can access its info in the Heroku CLI with heroku apps:info --app example-app.

If you create an app without choosing a name, the platform generates one for you.

The Heroku platform also uses this app name as part of the app’s subdomain.

Subdomains

By default, apps are accessible at their Heroku domains, which have the format of APPNAME-IDENTIFIER.herokuapp.com or APPNAME-IDENTIFIER.DNS-ZONE.herokuapp.com. The subdomain is the APPNAME-IDENTIFIER part, your app name combined with a 12-character random identifier. For example, example-app-1234567890ab.

The exceptions to this format are if you configured Review Apps to use a predictable URL.

You can rename apps at any time, which results in a new subdomain. See Renaming Apps from the CLI for more info. Renaming an app destroys the old subdomain and creates a new one. The addition of the identifier helps to mitigate the reuse of subdomains.

For info on adding custom domains, including adding a custom domain with a subdomain, see Custom Domain Names For Apps.

While your app is available at your subdomain, we strongly recommend adding custom domains for production apps.

Heroku started appending identifiers to subdomains on June 14, 2023. Applications created before this date maintain the old subdomain scheme where the subdomain was the same as the app name. Renaming these apps results in subdomains using the current scheme of APPNAME-IDENTIFIER.herokuapp.com.

Subdomain Reuse Mitigation

A subdomain takeover occurs when an attacker gains control of a target domain. Typically, takeovers happen when an application is deprecated, but its old URL remains active and can still receive traffic from legacy users. An attacker can create an app at that URL and intercept the traffic and provide their own content. This takeover can lead to phishing attacks, cookie theft, and bypassing OAuth allowlisting. The addition of a random identifier helps to prevent subdomain names from being taken over after apps are deleted or renamed.

Configuring Review Apps to use a predictable URL can expose those apps for a possible subdomain takeover.

URLs

By default, apps are accessible at their Heroku domains:

  • Cedar-generation apps have the format of APPNAME-IDENTIFIER.herokuapp.com, where APPNAME-IDENTIFIER is the subdomain. For example, example-app-1234567890ab.herokuapp.com.
  • Fir-generation apps use sharded DNS zones, and have a domain format of APPNAME-IDENTIFIER.DNS-ZONE.herokuapp.com. For example,example-app-1234567890ab.redwood-oregon.herokuapp.com.

For info on adding custom domains, including adding a custom domain with a subdomain, see Custom Domain Names For Apps.

Feedback

Log in to submit feedback.