Search overlay panel for performing site-wide searches

Boost Performance & Scale with Postgres Advanced. Join Pilot Now!

Security

Heroku GitHub Enterprise Integration: Unlocking Full Continuous Delivery for Enterprise Customers

We’re excited to announce a significant enhancement to how Heroku Enterprise customers connect their deployment pipelines to GitHub Enterprise Server (GHES) and GitHub Enterprise Cloud (GHEC). The new Heroku GitHub Enterprise Integration is now available in a closed pilot, offering a more secure, robust, and permanent connection between your code repositories and your Heroku apps.

Securing Salesforce Integrations with Heroku AppLink

Salesforce customers often leverage third-party or custom services to extend their orgs, and they do so with two common options: Connected Apps and External Services. Connected Apps let third-party vendors or custom code call Salesforce APIs using long-lived OAuth tokens, while External Services call vendor APIs through declarative configurations with vendor-managed hosting, scaling, and endpoint security. While both approaches deliver functionality, the dynamic security threat landscape challenges us to continuously improve the risk and governance of our applications.

Heroku AppLink improves your security model and provides a managed bridge between Salesforce and Heroku, so developers or vendors can deploy services in any language and expose them as native Salesforce actions. Heroku AppLink automatically handles authentication, service discovery, and request validation while its service mesh and short-lived credentials mean that your integrations no longer depend on stored credentials or exposed endpoints. Development teams can reuse existing code and libraries instead of rewriting in Apex, admins get centralized visibility into connections and authorizations, and security teams gain tighter trust boundaries across both Connected App and External Service scenarios.

Using GitHub Actions with Heroku Flow for additional Security Control

Many advanced users want to use GitHub Actions with their applications on Heroku. Now there’s a straightforward way to use these great systems together, and to meet strong security and compliance requirements at the same time.

A Solution for GitHub IP Range Restrictions

Heroku is a powerful platform that offers robust CI/CD capabilities and secure, scalable environments for deploying applications. However, GitHub Orgs cannot be configured with Heroku IP ranges, which can be a requirement for some organizations’ security rules. While this is under consideration, we want to share an alternative that leverages GitHub Actions, Heroku’s ability to run arbitrary …

Simplify Your Cloud Security: Heroku ACM Now Supports Wildcard Domains

We are thrilled to announce that Heroku Automated Certificate Management (ACM) now supports wildcard domains for the Common Runtime!

Heroku ACM’s support for wildcard domains streamlines your cloud management by allowing Heroku’s Certificate management to cover all your desired subdomains with only one command, reducing networking setup overhead and providing more flexibility while enhancing the overall security of your applications.

This highly-requested feature request is here, and in this blog post, we'll dive into what wildcard domains are, why you should use them, and the new possibilities this support brings to Heroku ACM.

What’s a Wildcard Domain and Why Should …

Add-on Controls for Pay-As-You-Go Customers

Add-on Controls for Heroku Teams

At Heroku, trust and security are top priorities and we’ve been steadily adding more security controls to the platform. Recently, we launched SSO for Heroku Teams, and today, we’re excited to announce more enhancements for teams: add-on controls. Previously, this feature was only available to Heroku Enterprise customers.

The Elements Marketplace has add-ons built by our partners that help teams accelerate app development on Heroku. Add-ons can interact with your team’s data and apps, so it’s important to manage and audit which add-ons your team uses. Enabling add-on controls helps keep your data …

SSO for Pay-as-you-go Customers

Today, we’re pleased to introduce a security feature addition for Heroku pay-as-you-go customers: Single Sign-On (SSO). SSO makes it easy to centralize and manage access to all the various tools and services used by your employees. Previously, SSO was only available for Heroku Enterprise. SSO improves the employee experience in several ways. You can use any identity provider (IdP) with built-in SSO support for Heroku, or custom authentication solutions that support the SAML 2.0 standard.

Cybersecurity Threat Mitigation

Usernames and passwords are prime targets for cybercriminals. Frequently, individuals use the same password across multiple platforms. In …

Automatic Certificate Management for Eco Dynos

TLS and HTTPS encryption have become foundational primitives and a requirement for running any app or service on the internet. Many Heroku customers told us through our public roadmap to make Heroku Automated Certificate Management available to all dyno types, including our Eco subscription. We’re thrilled to announce that Automatic Certificate Management(ACM) and manual certificate support are now available for apps running on Eco dynos. You can manually add certificates, or use Heroku ACM to make getting set up with https quick and simple.

Certificates handled by ACM automatically renew one month before they expire. New certificates are created automatically …

Security Improvement: Subdomain Reuse Mitigation

Summary

Subdomain reuse, also known as subdomain takeover, is a security vulnerability that occurs when an attacker claims and takes control of a target domain. Typically, this happens when an application is deprecated and an attacker directs residual traffic to a host that they control.

As of 14 June 2023, we changed the format of the built-in herokuapp.com domain for Heroku apps. This change improves the security of the platform by preventing subdomain reuse. The new format is <app-name>-<random-identifier>.herokuapp.com. Previously, the format was <app-name>.herokuapp.com. The new format for built-in herokuapp.com domains is on by default for all users.

Why It's …

Heroku 2022 Year-end Roundup

2022 was a transformational year for Heroku. In this post, we share how we’ve been enriching the Heroku developer experience in 2022, especially since committing to Heroku’s Next Chapter. We are dedicated to supporting our customers of all sizes who continue to invest and build their projects, careers, and businesses on Heroku.

Public Roadmap

As part of our commitment to increase transparency, the Heroku roadmap went live on GitHub in August 2022. The public roadmap has grown with the participation of many of our customers. Thank you for engaging with us about the future of Heroku. We want to …

Improving User Experience with Long-Lived Dashboard Sessions

At Salesforce, we strive to balance the security of your data and apps with an efficient and enjoyable user experience. Last year, we shortened login sessions for the Heroku Dashboard to 12 hours to improve security. Starting today, users can stay logged in for up to 24 hours. Even better, if you have multi-factor authentication (MFA) enabled and use the Heroku Dashboard daily, your session can be extended up to 10 days before you need to log in again. If you are idle on the Dashboard for more than 24 hours, you must re-authenticate. SSO-enabled users were not impacted by …

Subscribe to the full-text RSS feed for Security.