Facebook Canvas Pages to Require SSL Certificates

8th August 2011 | Tags:

On the first of Octo­ber, Face­book will make another change which could have a sig­nif­i­cant — and poten­tially costly — impact to your appli­ca­tions and pages. As part of its lat­est moves to increase secu­rity across the plat­form, in addi­tion to OAuth adop­tion they will expect that your can­vas appli­ca­tions to be hosted at a secure address (https). If a user browses to your page via https — and mil­lions are begin­ning to change their set­tings so that they are — instead of your lov­ingly crafted con­tent, they’ll see the fol­low­ing warning:

Facebook warning: We can't display this content while you're viewing Facebook over a secure connection (https)
When view­ing a page with a Can­vas appli­ca­tion hosted at a non-​secure address, but when the user uses https for Face­book, they will see this message.

If you go to an application’s set­tings, you’ll notice a new option, Secure Can­vas URL, with the foot­note “Required: SSL Cert by Octo­ber 1, 2011″, pic­tured below.

Specifying a secure canvas URL for a Facebook application
Spec­i­fy­ing a secure can­vas URL for a Face­book appli­ca­tion — see the last input box

In other words, the option is there already to spec­ify a secure URL for your can­vas appli­ca­tion already, but by Octo­ber 1st this will be a pro­viso, and that means you’ll need to install an SSL cer­tifi­cate. This isn’t triv­ial, and it’s often not cheap — par­tic­u­larly if you have mul­ti­ple pages /​appli­ca­tions over a num­ber of domains, and remem­ber that the cheap­est SSL cer­tifi­cates aren’t nec­es­sar­ily sup­ported by every browser. You can read Facebook’s orig­i­nal announce­ment on their blog, as well as some feed­back on the move here. Per­son­ally I agree with the devel­oper that in many cases SSL just isn’t nec­es­sary — par­tic­u­larly if all you’re doing is dis­play­ing exter­nal con­tent on a Face­book page. But this is the price for a more secure plat­form, it seems. There is one pos­si­ble solu­tion — a web­site has come to my atten­tion called Social Server, which appears to host a Face­book appli­ca­tion for you on a secure server. How­ever I haven’t tried it — if any­one has used it, do let me know in the comments.

Comments

    I’m not a fan of this change - for the company FB page I manage, I have created a few plain HTML canvas pages (I know there are free apps out there for it, but they don’t let you customize the icon AFAIK) and adding an SSL cert on my budget is a big shock.

    I’m a total noob to https - how will this work with embedded content (non-https) that is displayed through an https web page? (ie. - iframe embedded YouTube video, google map) Will this kick on the warning? I’m afraid I’m losing a great way of making FB work for our company through custom canvas content.

    10th August 2011
    Brian
    Brian

    When SSL certificate is $49/per it can be costly. It is like you have to pick one site; nurture it until it is successful; generate cash and then pay for another SSL certificate for your other fanpage. Is it me or is this crazy. I understand needing security.

    30th August 2011
    Sandra
    Sandra

    Hi there, thanks for the social-server.com suggestion.
    I went and tried it out and I must says its much easier than i thought it would be to make my pages viewable over SSL.
    Thanks again for the post! You saved me alot of time and money…
    Paul

    1st September 2011
    Paul Vallen
    Paul Vallen

    Came across a statement yesterday that people were making pages using Wordpress. That you could easily have a template with a width to fit FaceBook and then a couple of links. I thought, that I could do that. I could install WP in multiple sub-directories and then build custom landing pages, but adding in the issue of SSL is just one more thing. Like Brian said, what happens to an SSL page if it has embedded YouTube for example??? If this rule is retroactive, there are going to be a lot of broken pages on FaceBook.

    28th September 2011
    Mark
    Mark

    This is nuts. I manage a number of websites and FB business pages for clients. The websites are on a shared server and i can’t install SSL as the certificates validate the domains. I’d have to move every site that wanted a FB canvas page to its own hosting account and install an SSL? Ludicrous.
    I guess Facebook has gotten so freaking big it can do whatever it wants without thought to the people who are supporting it.

    17th January 2012
    Anonymous
    Anonymous

    I had been searching too and I found this app:
    Static HTML: iframe tabs. I can still pull content into my page. You just need to design your css and stuff. And another cool feature is the ability to use Javascript.

    11th February 2012
    Wayne Hatter
    Wayne Hatter

    The social server doesnt fulfill the secure canvas url as now facebook gives an error that the secure canvas should point to a directory (ending with '/') or a dynamic page (having '?' in between)

    19th February 2012
    Salil Mathur
    Salil Mathur

    I uses socialserver and and all looked good.

    THEN - a obtrusive popup ad appears OVER my canvas content!

    1st April 2012
    Anonymous
    Anonymous

    Guys ! i am very new in facebook apps and try to make a new facebook app since last 2 days but i havn’t any solution for secure canvas url how i can done my job ……give me any solution
    thnx.

    7th December 2012
    jitender kumar
    jitender kumar

    wow what a wonderful post and I am very happy to read this.

    Facebook Apps

    7th January 2013
    Facebook Apps
    Facebook Apps

    Thank you for the article, it was very informative, it helped me a lot, I did see Social Server cost money nowadays, they ask 40 pounds ouch!!.

    I did end up finding a website that do give you a Https Url Address for Facebook developers..the BIG difference is they are the cheapest , add free and their Https Facebook Url Address works with any Facebook Tab and Application Iframe Canvas.

    If anyone else need one go to
    https://www.shopactivate.com/FacebookSSLConnection.aspx

    They give you a Https Facebook Address that works with any Facebook Tab and Application Iframe Canvas. you just add their Https address into YOUR Facebook application settings on facebook and they redirect seamlessly users to your application (without any one notice it). I thought I should share this since we all have difficulties with facebook. Good luck!!

    30th March 2013
    Jake
    Jake

Links and images are allowed, but please note that rel="nofollow" will be automactically appended to any links.