Are cookies safe in a Heroku app on herokuapp.com?

Just wanted to post an update for anyone who ran across this question as I did. I was working on a similar problem, except that I wanted to purposefully allow access to the same cookie from two different heroku apps.

"herokuapp.com" and "herokussl.com" are now on the Public Suffix List, so your cookies should be safe if they are set for one of those domains. I ended up having to use custom domains in order to share cookies across both apps.

Heroku also released an article on the topic: https://devcenter.heroku.com/articles/cookies-and-herokuapp-com

I just tried to add a cookie from my Heroku app with the response header Set-Cookie: name=value;Path=/;Domain=.herokuapp.com, and to my disappointment, I could see the header intact in my browser. So the Heroku infrastructure does not detect and remove this cross-app supercookie.

I see three possible ways to protect a Heroku app against cross-app supercookies:

• Don't use cookies at all.
• Use a custom domain.
• Verify that each cookie was actually set by your app, and restrict it to the client's IP address by checking the X-Forwarded-For header.

My feature request to Heroku would be that they should filter HTTP responses that goes through their HTTP routing, such that applications hosted on their infrastructure cannot set cookies with Domain=herokuapp.com.

It seems to me that, as long as you set the cookie for example.herokuapp.com, then the cookie is safe from manipulation. The cookie will only be presented to the app running on example.herokuapp.com and to herokuapp.com (where no app runs).