In short, you don't need an SSL certicate on Heroku at all, but
Cloudflare settings need to be
- SSL/TLS encryption mode is Flexible.
- Page Rules. You can only set 3 for free for a given domain name.
- Always Use HTTPS
It is related to this post, where he uses WordPress (and the correlated MySQL / AWS S3.)
This website, with CORS-enabled public OpenAPI, actually. (Some other securities I put in are Helmet and Rate-Limiting, as well as database user being read-only.)