Ce site est disponible en


The day I stopped using Heroku

I am a fullstack dev.

It means my goal is to master as many skills as possible to help people building web-based products. This includes front/back-end development of course, but also many other adjacent topics like UX/UI, technical architecture, hiring, networking, strategy, technological watch and so on. But from the very beginning, there has been one topic I chose not to dig into: Devops.

Gladly, I have never had to worry about this black sheep during my first four years doing web development thanks to the magical git push heroku master that the so-called service brilliantly provided. Easy as pie, and with a nice free plan to host random hacks, in progress projects or staging environments, without having to worry about anything, not even paying.

Of course we used it to host the startup I cofounded, Copass, despite the still increasing ~$200 we are now billed every month.

But all this was before May 24th 2016.

Account suspended

It was 10PM European time, I’m about to go to sleep, when my partner tells me it is not possible to sign in Copass anymore. After some quick status checks, I try to log in my Heroku account and receive the following message:

Your account has been suspended. If you believe this is an error please contact support.

Checking further, I understand that:

  • For the Copass apps, whose I’m not the only app owner, only GET requests were accepted. All POST queries were receiving a Heroku::API::Errors::Unauthorized error.
  • All my personal apps had been shut down.

As the message suggested, I went to Heroku Support which ridiculously asks to log in first in order to recover login rights. This took me to write the following angry tweet:

In despair, I randomly tried to write to support@heroku.com and got more success. 30 minutes later, I received the following answer:

Your account was suspended because one of your apps, google-doc-publisher, was reported as a phishing site and was blacklisted by multiple sources.

Reading this, I first thought it was a mistake. The Google Docs Publisher scrapes a published-to-the-web Google Docs to wrap it in a better-styled iframe. Maybe someone did not understand how it worked and naively reported it as phishing. I quickly argued to Heroku that the app ain’t any malicious and even got featured on Product Hunt.

But instead of poursuing the discussion, Heroku left me unanswered for the next 24 hours. No need to mention that I went mad, accusing some unfair conspiracy against well-intended independent developers that bring useful app to the world. :-) Besides, I spent my day migrating my apps to another host, starting with gdoc.pub to reduce my users inconvenience.

Waiting for 24 hours


The next day, I finally got an explanation. My app had been used to create the following phishing Google Docs. No need to precise that the link did not aim at the anchored URL.

Phishing Google Docs

When I received the link, I immediately understood what happened. It completely makes sense want try to block the access to this URL as soon as possible. In fact, Chrome had already set a warning on the page:

Phishing Chrome Warning

Of course, I am partly responsible of the existence of this page. To prevent this to happen again, I added my own phishing report process in the docs footer so users don’t have to report at the host level.

Google Docs Publisher footer

And once blocked, gdoc.pub returns:

Google Docs Publisher phishing confirmed


That said, I am still resentful toward Heroku:

  • They blocked or turned down all my apps.
  • It took them 24 hours to send me a single link, which was enough to explain everything.
  • While reaching support, there have been human interventions, the process is not 100% automated. Someone should have realized that I was open to discussion and that I had good reasons to defend myself. I was far from the hidden-silent-proxied-malicious-hacker kind of guy. The sanction was obviously too strong for the situation.
  • They haven’t given even a single word of excuse afterwards.

You may call me a sensitive person. You may think this kind of situation happens too often on the Heroku side and they don’t have the time to handle cases one by one. But think twice about it: those apps are my work.

  1. I cannot afford that they are taken down because one page in one of my app got abused. I need control on my work availability, and not to depend on some too-quickly evaluated-by-a-private-company criteria.

  2. I cannot stand being the single victim of the story. I build apps because I think they can be useful to others, being used by dishonest users doesn’t mean the app should not exist at all.

  3. I refuse to be the user of a service that is not on its customers’ side. Had they been helpful and comprehensive, the whole thing could have lasted less than one hour. Instead, they chose, just like many empowered organizations, authority over assistance. Is it really how we want things to work?

For those reasons, I won’t be using Heroku anymore.

Thankfully Docker is now here. I have been playing around with it for quite some time to set up a development environment. Migration hasn’t been so painful. In the future I might have to sometimes do some maintenance work, but anyways for $10/month I can host as many apps as I want, instead of using the not-so-useful-anymore-heroku-free-plan.

Docker vs Heroku

After all, I’m a fullstack dev and now, I can also help with devops tasks too. So should you?