Warning: Possibly Out of Date

The settings.py below represents the contents of Heroku’s docs when this answer was originally written in 2015. While I am relatively sure the ALLOWED_HOSTS setting presented here is safe, please consult the up-to-date docs before copying any of the rest of these settings!

Original answer follows. See below for more information.

This is exactly what you are supposed to do, per Getting Started with Django on Heroku:

settings.py

# Parse database configuration from $DATABASE_URL
import dj_database_url
DATABASES['default'] =  dj_database_url.config()

# Honor the 'X-Forwarded-Proto' header for request.is_secure()
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

# Allow all host headers
ALLOWED_HOSTS = ['*']

# Static asset configuration
import os
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
STATIC_ROOT = 'staticfiles'
STATIC_URL = '/static/'

STATICFILES_DIRS = (
    os.path.join(BASE_DIR, 'static'),
)

2018 Update

The link above no longer works, as Heroku formats their Getting Started docs a bit differently these days, providing pre-built example repos rather than code samples in the docs. The current Python Getting Started Repo has ALLOWED_HOSTS = [], but also DEBUG = True, which according to the Django 2.1 docs triggers a special case where

ALLOWED_HOSTS =  ['localhost', '127.0.0.1', '[::1]']

Since DEBUG = True is not recommended or a good idea at all in production, the original recommendation in this answer still stands as a production-ready solution for a Heroku app. Be sure you read and understand Charlie Weems’ brief answer before deciding what to do.

Full Disclosure: I have not built a production Heroku app in a recent version of Django. YMMV 🙂