The Express request object has a secure boolean attribute. When secure=true, the request is on https. However, for apps hosted on Heroku, the request.secure will always be false. So, we need a further step to redirect users to https.

Heroku header

Indeed, Heroku forwards an http header that allow us to detect the secure attribute. On Heroku, request.header('x-forwarded-proto') will contain the actual protocol string (i.e., http or https).

Express middleware for HTTPS redirect

If you’re using the Express framework, then you can use the app.use() functionality to specify a middleware. Since Heroku already implemented HTTPS in the production environment, we can use the process.env.NODE_ENV to check for prod:

if (process.env.NODE_ENV === 'production') {
    app.use((req, res, next) => {
        if (req.header('x-forwarded-proto') !== 'https') {
            res.redirect(`https://${req.header('host')}${req.url}`)
        } else {
            next()
        }
    })
}

This middleware could be more selective per route if you wanted. And you could even enhance the middleware to use inspect both the http header and the Express secure flag.