Facebook App Developers: Get Ready for New Secure Server Requirements

September 19, 2011

This past spring, Facebook enacted major changes to their platform, including how developers can create and add “fan” pages and other customized content. Out went FBML, their somewhat proprietary (and somewhat limited) markup language. Staying is iframes—or in Facebook’s glossary, iframe apps—with the ability to incorporate standard web resources into Facebook using HTML and CSS, Javascript, PHP, Python, .Net, and just about any language or utility used in web development. Such openness of course brings a demand for security, and Facebook’s first effort in that direction was adding OAuth 2.0 support for those requiring user authentication and authorization.

Facebook is taking another big step on October 1, not only moving to OAuth 2.0 exclusively and requiring iframe apps to process signed_request, but more importantly, that an iframe’s content be hosted on a secure server (SSL/HTTPS). What this means for Facebook developers is the web server their applications are stored on must be a secure one.

If you create apps using 3rd party Facebook services like Pagemodo, Involver or ShortStack, check the online documentation for it or get in touch with their support to make sure they’re prepared for the change, and assure your apps ongoing continue to work.

Those hosted on one of the larger providers may find they’re already configured for HTTPS, with a certificate they can piggyback off of assigned to the server’s default domain. A simple test for this is to change the protocol for a site’s url to https://. A certificate can only be assigned to one domain, so a connection like this can generate browser warnings about the visited domain not being on the certificate. In such cases, you don’t want your domain for the tab or canvas app URL, but rather the one on the certificate with the account as subdomain or ‘user account‘ directory (http://sample.com/~mydomain/ or similar). How this works varies between hosts, so you’d need to contact the provider if it’s not found in the account’s login details.

Finally, developers without an existing secure server but needing to host iframe apps will find themselves incurring additional costs—not all that costly in the scheme of things, but still an expense that wasn’t required before—as they’ll need an SSL certificate for the domain, as well as the site hosted on a server enabled for secure HTTP. Many web hosts provide the means to add both services but not all do, which will lead some facing the additional demand and expense of having to move to a new provider.

So, are you ready for Facebook’s new requirements?

Leave a Reply