As of Saturday, October 1, Facebook will require ALL applications and page tabs to support HTTPS secure hosting, to “ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.”
What will happen to Page tabs that aren’t secure, starting October 1?
Facebook hasn’t officially detailed what exactly will happen to apps and Page tabs that don’t have a secure URL, only that “You must provide an SSL certificate in the Dev App settings to avoid having your app disabled.”
However, on this Facebook Developer Blog thread today, Facebook’s Cat Lee stated: “The content will not be accessible for users with secure browsing turned on. There will be a page that states something close to: This app does not support secure browsing (Learn More).”
OAuth 2.0 Migration — for Apps Requiring Authentication ONLY
Also, as of Saturday, Facebook will only support OAuth 2.0 for authenticating users on applications. If you haven’t created an application that requires the “Allow” screen, the OAuth 2.0 migration shouldn’t affect you or your Page tabs.
What you need to do to make your app or page tab secure
Your app canvas page or page tab’s iframed page must be hosted on a server that has an SSL security certificate.
IMPORTANT: If you’re using a tab-creation app like TabPress, Static HTML or Lujure, you don’t have to worry about the secure hosting of your canvas/index page. Those and the other apps like them should have already taken care of this. I know the above-mentioned have. HOWEVER, any images or scripts you inline on your tab via <img /> or <style /> or <embed /> (video), will need to be securely hosted and called with HTTPS.
SSL is the “Secure Socket Layer” protocol which is responsible for creating secure communication between a user’s browser and the website they’re viewing. This is done by both server and client authentication and the negotiation of an encryption algorithm and cryptographic keys.
There are two types of SSL certificates — shared and private/dedicated.
Shared SSL Security Certificate
A shared SSL certificate will always be the most inexpensive option, as your site shares one SSL certficate with all the other sites on your shared server. This would NOT be a good solution for an e-commerce site, but for simply satisfying Facebook’s requirement that your page be hosted securely it’s fine.
Some hosts offer the shared certificate option and some do not. You’ll have to check.
Private / Dedicated SSL Security Certificate
A private SSL certificate is tied specifically to your domain (www.YourDomain.com), and requires that your domain has a unique IP address (Example 126.96.36.199) associated with the domain.
Private SSL certificates are more costly, but not prohibitively so. Many hosting plans offer an upgrade to an SSL certificate and unique IP beginning around $5/month.
How do I set my secure URL for my Facebook application or Page tab?
In Facebook’s constantly changing developer app interface you’ll see this when creating your Page app:
Note that the “Secure Page Tab URL” uses “https” instead of “http” — URLs must be specified this way in order to trigger the encryption.
You should also put your tab URLs in the “App on Facebook” fields:
<img src="https://www.your-domain.com/images/your-image.gif" />
<img src="/images/your-image.gif" />
The leading forward slash for root-relative URLs indicates the document root of your server, the level where your home page file is located.
What about Static FBML tabs and SSL / HTTPS?
Static FBML custom tabs shouldn’t be affected at all by the HTTPS requirement as all content for these tabs is cached and served on Facebook servers.
However, because the Static FBML app is deprecated and will eventually be disabled, it’s advisable to convert your Static FBML tabs to iFrame Page tabs sooner rather than later.
What about FBML apps and SSL / HTTPS?
Facebook has addressed this on the Developer Blog:
We have heard that there is some confusion about whether FBML apps must support HTTPS. FBML developers still need to know whether users are browsing Facebook over a secure connection since they need to detect whether to serve iframe or video content over HTTPS. As a result, FBML apps must obtain SSL certificates in order to serve this type of content to users browsing over a secure connection. If you have an FBML app, please obtain an SSL certificate for your app to receive traffic from users browsing Facebook over a secure connection.
If you enable SSL for your FBML app, please make sure that your SSL certificate includes all intermediate certificates in the chain of trust as our SSL validation is strict. You can use third-party SSL analysis tools (e.g., https://www.ssllabs.com/index.html) to check your certificate status and fix any errors (and warnings). If your SSL certificate has problems, you may see “Empty response received” error when you load your FBML canvas app.
Questions about HTTPS secure browing requirement?
If you have questions about this, just ask in the comments section, below.
Remember, this is basically a good thing!