Facebook App Developers: Get Ready for New Secure Server Requirements
September 19, 2011
Facebook is taking another big step on October 1, not only moving to OAuth 2.0 exclusively and requiring iframe apps to process signed_request, but more importantly, that an iframe’s content be hosted on a secure server (SSL/HTTPS). What this means for Facebook developers is the web server their applications are stored on must be a secure one.
If you create apps using 3rd party Facebook services like Pagemodo, Involver or ShortStack, check the online documentation for it or get in touch with their support to make sure they’re prepared for the change, and assure your apps ongoing continue to work.
Those hosted on one of the larger providers may find they’re already configured for HTTPS, with a certificate they can piggyback off of assigned to the server’s default domain. A simple test for this is to change the protocol for a site’s url to https://. A certificate can only be assigned to one domain, so a connection like this can generate browser warnings about the visited domain not being on the certificate. In such cases, you don’t want your domain for the tab or canvas app URL, but rather the one on the certificate with the account as subdomain or ‘user account‘ directory (http://sample.com/~mydomain/ or similar). How this works varies between hosts, so you’d need to contact the provider if it’s not found in the account’s login details.
Finally, developers without an existing secure server but needing to host iframe apps will find themselves incurring additional costs—not all that costly in the scheme of things, but still an expense that wasn’t required before—as they’ll need an SSL certificate for the domain, as well as the site hosted on a server enabled for secure HTTP. Many web hosts provide the means to add both services but not all do, which will lead some facing the additional demand and expense of having to move to a new provider.
So, are you ready for Facebook’s new requirements?