TL;DR
Heroku is a mature platform with solid security fundamentals, but the 2022 OAuth token breach raised concerns about their security practices. Since then, they've improved their security posture. The platform provides good isolation, encrypted config vars, and compliance certifications. Still a reasonable choice, but consider modern alternatives for new projects.
What is Heroku?
Heroku is one of the original Platform-as-a-Service (PaaS) providers, now owned by Salesforce. It pioneered the git-push deployment model and remains popular for its simplicity. Supports multiple languages with buildpacks and has a rich add-on ecosystem.
2022 Security Incident: In April 2022, Heroku suffered a breach where OAuth tokens were stolen, leading to unauthorized access to private GitHub repos. This damaged trust, though they've since improved security practices.
Our Verdict
What's Good
- Mature, battle-tested platform
- SOC 2, ISO certified
- Dyno isolation
- Encrypted config vars
- Private spaces (Enterprise)
What to Watch
- 2022 breach history
- Aging platform (less innovation)
- Shared infrastructure on basic tiers
- Higher pricing vs alternatives
Security Features
| Feature | Common Runtime | Private Spaces |
|---|---|---|
| Dyno isolation | Container-based | Dedicated VPC |
| Network | Shared | Private network |
| Compliance | SOC 2 | SOC 2, HIPAA eligible |
| Cost | $ | $$$$ |
Config Vars (Secrets)
Heroku config vars are the primary way to manage secrets:
- Encrypted at rest: Config vars are encrypted
- Injected at runtime: Available as environment variables
- Not in build logs: Hidden from output by default
- Audit logging: Available on higher tiers
Rotate After 2022: If you used Heroku before April 2022 and connected GitHub, ensure you've rotated all secrets and reviewed GitHub access.
Post-Incident Improvements
Since the 2022 incident, Heroku has:
- Required MFA for all accounts
- Rebuilt GitHub integration from scratch
- Enhanced token storage security
- Improved monitoring and detection
Should You Use Heroku?
| Use Case | Recommendation |
|---|---|
| Existing Heroku apps | Fine to continue, stay updated |
| Enterprise (Private Spaces) | Reasonable choice |
| New projects | Consider Railway, Render, Fly.io |
| Tight budget | Better alternatives exist |
Is Heroku safe after the 2022 breach?
Heroku has improved their security since the breach, including mandatory MFA and rebuilt integrations. The platform is reasonably safe, but the incident showed gaps in their security practices that competitors didn't have.
Should I migrate away from Heroku?
Not necessarily. If your app runs well on Heroku, you can stay. However, for new projects, Railway, Render, or Fly.io offer similar ease of use with better pricing and more active development.
Are my secrets safe on Heroku?
Config vars are encrypted and reasonably secure. The 2022 breach affected OAuth tokens specifically, not config vars. Still, practice defense in depth with secret rotation and monitoring.