Skip Navigation
Show nav
Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
    • .NET
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
Hide categories

Categories

  • Heroku Architecture
    • Compute (Dynos)
      • Dyno Management
      • Dyno Concepts
      • Dyno Behavior
      • Dyno Reference
      • Dyno Troubleshooting
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Developer Tools
    • Command Line
    • Heroku VS Code Extension
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery & Integration (Heroku Flow)
    • Continuous Integration
  • Language Support
    • Node.js
      • Working with Node.js
      • Troubleshooting Node.js Apps
      • Node.js Behavior in Heroku
    • Ruby
      • Rails Support
      • Working with Bundler
      • Working with Ruby
      • Ruby Behavior in Heroku
      • Troubleshooting Ruby Apps
    • Python
      • Working with Python
      • Background Jobs in Python
      • Python Behavior in Heroku
      • Working with Django
    • Java
      • Java Behavior in Heroku
      • Working with Java
      • Working with Maven
      • Working with Spring Boot
      • Troubleshooting Java Apps
    • PHP
      • PHP Behavior in Heroku
      • Working with PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
    • .NET
      • Working with .NET
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
      • Migrating to Heroku Postgres
    • Heroku Key-Value Store
    • Apache Kafka on Heroku
    • Other Data Stores
  • AI
    • Model Context Protocol
    • Vector Database
    • Heroku Inference
      • Inference API
      • Quick Start Guides
      • AI Models
      • Inference Essentials
    • Working with AI
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
      • Single Sign-on (SSO)
    • Private Spaces
      • Infrastructure Networking
    • Compliance
  • Heroku Enterprise
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Security
  • App Security
  • Understanding TLS on Heroku

Understanding TLS on Heroku

English — 日本語に切り替える

Last updated September 30, 2024

Table of Contents

  • When to use Automated Certificate Management (ACM)
  • When to use Heroku SSL

There are two ways to enable TLS for your Heroku app’s custom domains. The options are listed in order of recommended use:

  • Automated Certificate Management (ACM)
  • Heroku SSL

In general, use Automated Certificate Management unless your app requires functionality that ACM doesn’t support. This article provides summaries of the functionality provided by each method.

For enabling TLS on apps in Private Spaces, refer to the documentation here.

TLS is always enabled for .herokuapp.com for Common Runtime apps.

When to use Automated Certificate Management (ACM)

With Automated Certificate Management (ACM), Heroku automatically manages TLS certificates for apps running on the Common Runtime. Certificates handled by ACM automatically renew one month before they expire, and new certificates are created automatically whenever you add a custom domain.

ACM is recommended for most Heroku apps, because:

  • It provides TLS certificates at no additional cost
  • It supports creating certificates for multiple domains
  • It automatically renews TLS certificates before they expire

ACM doesn’t support:

  • Private Space apps using wildcard domains
  • OV/EV certificates
  • Apps using internal routing

If your app requires any of the functionality that ACM doesn’t support, use Heroku SSL instead.

DNS Targets for ACM

DNS targets for ACM end with herokudns.com for Common Runtime apps, or herokuspace.com for Private Spaces apps. For example:

example.com        example.com.herokudns.com
www.example.com    www.example.com.herokudns.com

Or

example.com        random-word-odhsycy1xdsqfbqy8gceaa2d.herokudns.com
*.example.com      random-word-odhsycy1xdsqfbqy8gceaa2d.herokudns.com

Or for Private Spaces

example.com        random-haiku-5196.also-random-3847.herokuspace.com

Note that ACM doesn’t support wildcard domains for Private Spaces

When to use Heroku SSL

Heroku SSL is a free service for apps running on paid dynos that allows you to upload your own TLS certificate. You’re responsible for purchasing and renewing this certificate.

Use Heroku SSL instead of Automated Certificate Management (ACM) if:

  • you want to use an OV/EV certificate
  • your app must support wildcard domains on Private Space apps
  • your app uses internal routing

Heroku SSL uses Server Name Indication (SNI), an extension of the TLS protocol.

DNS Targets for Heroku SSL

DNS targets for Heroku SSL follow these patterns:

example.com        example.com.herokudns.com
www.example.com    www.example.com.herokudns.com
*.example.com      wildcard.example.com.herokudns.com

Keep reading

  • App Security

Feedback

Log in to submit feedback.

WebSocket Security WebSocket Security

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure
  • .NET

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing
  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Github
  • LinkedIn
  • © 2025 Salesforce, Inc. All rights reserved. Various trademarks held by their respective owners. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States
  • heroku.com
  • Legal
  • Terms of Service
  • Privacy Information
  • Responsible Disclosure
  • Trust
  • Contact
  • Cookie Preferences
  • Your Privacy Choices