Security
- News
- Last Updated: July 09, 2015
- Balan Subramanian
In February, we announced Heroku Enterprise, with collaboration and management capabilities for building and running your app portfolio in a governable and secure way on Heroku. We also introduced fine-grained access controls with app privileges as a beta feature. Today, we are pleased to announce general availability of this feature: Heroku Enterprise accounts are now automatically enabled for fine-grained access controls. We’re very happy to deliver this feature that many of our largest customers have requested.
“Enterprises need greater visibility around applications and scalability, and Heroku Enterprise adds those features to the core Heroku value proposition,” said Matthew Francis, …
- Engineering
- Last Updated: March 28, 2024
- David Gouldin
Celery is by far the most popular library in Python for distributing
asynchronous work using a task queue. If you’re building a Python web app,
chances are you already use it to send email, perform API integrations, etc.
Many people choose Redis as their message broker of choice because
it’s dead simple to set up: provision a Redis add-on, use its environment
variable as your BROKER_URL, and you’re done. But the simplicity of Redis
comes at a cost. Redis does not currently support SSL, and
it doesn’t seem like that’s going to change any time soon.
Because Heroku …
- News
- Last Updated: May 06, 2024
- Oren Teich
On Friday January 18, security researcher Benjamin Manns notified Heroku of a security vulnerability related to our add-ons program. At a high level, the vulnerability could have resulted in disclosing our Cross-Site Request Forgery tokens (these tokens are used to prevent browser hijacking) to third parties.
We quickly addressed the vulnerability and on Sunday, we deployed a patch to remediate the issue. We also reviewed our code for related vulnerabilities and conducted a review of our audit logs to determine the impact of the vulnerability. We found no instances of this issue being exploited.
We wish to thank Mr. Manns …
- News
- Last Updated: January 11, 2013
- Mark McGranaghan
A serious security vulnerability has been found in the Ruby on Rails framework. This exploit affects nearly all applications running Rails and a patch has been made available.
Rails developers can get a full list of all your affected Heroku applications by following instructions here. Please address this security vulnerability by immediately upgrading your affected apps to any of the safe versions of Rails listed below. The following Rails versions have been patched and deemed safe from this exploit:
3.2.11
3.1.10
3.0.19
2.3.15
If you do not upgrade, an attacker can trivially gain access to your application, its data, …
- News
- Last Updated: January 10, 2013
- Oren Teich
Heroku recently learned of and resolved a security vulnerability. We want to report this to you, describe how we responded to the incident, and reiterate our commitment to constantly improving the security and integrity of your data and source code.
On December 19, 2012, security researcher Stephen Sclafani notified us of an issue in our account creation system. Using a maliciously-crafted HTTP request, an attacker could change the password of a pre-existing Heroku user account, and thus gain control of it. This attack would not disclose the pre-existing password to the attacker (those are stored internally as non-recoverable bcrypt hashes).
…
- News
- Last Updated: March 31, 2010
- Morten Bagai
Ever since we launched the current IP-based solution at $100/month in response to customer demand, we have been pursuing a cheaper and more elegant solution for SSL with custom certificates on Heroku.
Today, we’re happy to announce the public beta of a new SSL add-on that accomplishes this goal. It’s called ssl:hostname, and is priced at $20/month. This new add-on will allow you enable SSL traffic to your application on any subdomain, such as www.mydomain.com or secure.mydomain.com, using your own SSL certificate. Note that this is a paid beta, and you will be charged for using the add-on through …
- News
- Last Updated: June 03, 2024
- Morten Bagai
Since we returned from a fun and successful Railsconf in Vegas, we have been in full swing completing the rollout of our paid services. The response has been enormous so far, and paid services are now available to all users.
If you’ve checked out the pricing page, you’ve undoubtedly noticed our line-up of a la carte add-ons. We’re really excited about add-ons becoming a key part of our platform, allowing us to seamlessly deliver popular application services and components with the built-in scalability and ease of use you’ve come to expect from Heroku.
We’ve had a solid first …
Subscribe to the full-text RSS feed for Security.