Cloudflare + Heroku with custom domain

Question

I have a Heroku app and connected Cloudflare. As I know, there is no way to remove a default Heroku domain (app.herokuapp.com), so I forward all requests with Host 'app.herokuapp.com' to 'mydomain.com'. But will Cloudflare secure me from attacks straight to a Heroku domain? If no, is it a way to remove default domain or hide it somehow?

Answer 1

You are correct at all points. I am giving you the easy ways for basic offloading of attacks. All methods are towards 301 redirect and/or packet forwarding.

But will Cloudflare secure me from attacks straight to a Heroku domain?

Cloudflare has a service which they say CNAME flattening. Few years back, it was dnsmadeeasy who discovered A Name. They are not RFC standardised. Many other DNS service has such things. Basic principle is easy. If app URL is my-ugly-url.herokuapp.com & your custom domain is my-custom.com then with which you can set :

 | my-custom.com |
 @ my-ugly-url.herokuapp.com ( ANAME or ALIAS )
 app.my-custom.com CNAME my-ugly-url.herokuapp.com
 www.my-custom.com CNAME my-ugly-url.herokuapp.com

Then do 301 redirection at application's web server config, app.my-custom.com will redirect to my-ugly-url.herokuapp.com. Requests toward my-ugly-url.herokuapp.com will be forwarded to my-custom.com by dnsmadeeasy. There are probably more such DNS services now. Yes, chance of running attack over both domain in parallel is remaining. But also my-ugly-url.herokuapp.com get exposed on DNS record.

If no, is it a way to remove default domain or hide it somehow?

Officially 301 redirection, packet forwarding is also possible. There are ways to have dedicated IP and forward TCP packets. They have 3 types of add-ons --

1. /addons/proximo.
2. /addons/fixie.
3. /addons/quotaguardstatic.

They are not always easy at application level but probably safer than having such naked subdomain open to all. PaaS is facing increasing DDoS now. That is different matter.