You will have to pay Heroku for the add-on, acquire an SSL cert, and install it according to their instructions. Note also that you should probably avoid installing SSL at the apex, and redirect any apex traffic to the subdomain you do choose (e.g. www).

Using CloudFlare is a reasonable approach to avoid paying Heroku's charges, though the certificate that's presented will not be your own. You can make the choice about whether it's worth the money.

The simplest and cheapest way is to upgrade from Free to Hobby Dynos, it will cost a maximum of 7$/month for a small app, and actually probably much less because the price is prorated to the time your Dyno will run per month.(https://www.heroku.com/pricing) This is much cheaper than the 20$/month to get the SSL Heroku add-on.

Once you have upgraded your plan from Free to Hobby, things are pretty straightforward:

• Go to your app on Heroku, go to settings, scroll down to domains and certificates, and add your domain: www.yourdomain.com
• This will automatically give you a DNS target as such www.yourdomain.com.herokudns.com
• In your Domain Host:
  • Add a CNAME record using this DNS target, for instance on Godaddy as such: Type: CNAME Name: www. Value: www.yourdomain.com.herokudns.com
  • Add a redirect action from your root domain (yourdomain.com) to www.yourdomain.com

Allow a few hours for the DNS changes to propagate, and you're all set!