I recently set up a Heroku app using the Apache and PHP buildpack. The Apache configuration on Heroku was most likely the default which, if it receives a request to a URL without a trailing slash, e.g.
it’ll redirect to
That alone is fine. However, I was getting redirected from https to http, which was not fine. This is likely due to the presence of a load balancer in front of the Heroku app server with SSL/TLS being terminated at the load balancer. When a request to an https URL without a trailing slash like
the request was secure to the Heroku load balancer but from the load balancer to the Heroku app server, it must have been insecure, e.g.
At that point, Apache would redirect to
and the user would end up going from https to http. To resolve this, and as a best practice, just force https on all URLs. This is easily done on Heroku using a .htaccess file with a redirect rule, in case your chosen server is Apache.