Facebook Canvas Pages to Require SSL Certificates

8thAugust 2011 | Tags:

On the first of October, Facebook will make another change which could have a significant - and potentially costly - impact to your applications and pages. As part of its latest moves to increase security across the platform, in addition to OAuth adoption they will expect that your canvas applications to be hosted at a secure address (https). If a user browses to your page via https - and millions are beginning to change their settings so that they are - instead of your lovingly crafted content, they'll see the following warning:

Facebook warning: We can't display this content while you're viewing Facebook over a secure connection (https)
When viewing a page with a Canvas application hosted at a non-secure address, but when the user uses https for Facebook, they will see this message.

If you go to an application's settings, you'll notice a new option, Secure Canvas URL, with the footnote "Required: SSL Cert by October 1, 2011", pictured below.

Specifying a secure canvas URL for a Facebook application
Specifying a secure canvas URL for a Facebook application - see the last input box

In other words, the option is there already to specify a secure URL for your canvas application already, but by October 1st this will be a proviso, and that means you'll need to install an SSL certificate. This isn't trivial, and it's often not cheap - particularly if you have multiple pages / applications over a number of domains, and remember that the cheapest SSL certificates aren't necessarily supported by every browser. You can read Facebook's original announcement on their blog, as well as some feedback on the move here. Personally I agree with the developer that in many cases SSL just isn't necessary - particularly if all you're doing is displaying external content on a Facebook page. But this is the price for a more secure platform, it seems. There is one possible solution - a website has come to my attention called Social Server, which appears to host a Facebook application for you on a secure server. However I haven't tried it - if anyone has used it, do let me know in the comments.

Comments

    I’m not a fan of this change - for the company FB page I manage, I have created a few plain HTML canvas pages (I know there are free apps out there for it, but they don’t let you customize the icon AFAIK) and adding an SSL cert on my budget is a big shock.

    I’m a total noob to https - how will this work with embedded content (non-https) that is displayed through an https web page? (ie. - iframe embedded YouTube video, google map) Will this kick on the warning? I’m afraid I’m losing a great way of making FB work for our company through custom canvas content.

    10th August 2011
    Brian
    Brian

    When SSL certificate is $49/per it can be costly. It is like you have to pick one site; nurture it until it is successful; generate cash and then pay for another SSL certificate for your other fanpage. Is it me or is this crazy. I understand needing security.

    30th August 2011
    Sandra
    Sandra

    Hi there, thanks for the social-server.com suggestion.
    I went and tried it out and I must says its much easier than i thought it would be to make my pages viewable over SSL.
    Thanks again for the post! You saved me alot of time and money…
    Paul

    1st September 2011
    Paul Vallen
    Paul Vallen

    Came across a statement yesterday that people were making pages using Wordpress. That you could easily have a template with a width to fit FaceBook and then a couple of links. I thought, that I could do that. I could install WP in multiple sub-directories and then build custom landing pages, but adding in the issue of SSL is just one more thing. Like Brian said, what happens to an SSL page if it has embedded YouTube for example??? If this rule is retroactive, there are going to be a lot of broken pages on FaceBook.

    28th September 2011
    Mark
    Mark

    This is nuts. I manage a number of websites and FB business pages for clients. The websites are on a shared server and i can’t install SSL as the certificates validate the domains. I’d have to move every site that wanted a FB canvas page to its own hosting account and install an SSL? Ludicrous.
    I guess Facebook has gotten so freaking big it can do whatever it wants without thought to the people who are supporting it.

    17th January 2012
    Anonymous
    Anonymous

    I had been searching too and I found this app:
    Static HTML: iframe tabs. I can still pull content into my page. You just need to design your css and stuff. And another cool feature is the ability to use Javascript.

    11th February 2012
    Wayne Hatter
    Wayne Hatter

    The social server doesnt fulfill the secure canvas url as now facebook gives an error that the secure canvas should point to a directory (ending with '/') or a dynamic page (having '?' in between)

    19th February 2012
    Salil Mathur
    Salil Mathur

    I uses socialserver and and all looked good.

    THEN - a obtrusive popup ad appears OVER my canvas content!

    1st April 2012
    Anonymous
    Anonymous

    Guys ! i am very new in facebook apps and try to make a new facebook app since last 2 days but i havn’t any solution for secure canvas url how i can done my job ……give me any solution
    thnx.

    7th December 2012
    jitender kumar
    jitender kumar

    wow what a wonderful post and I am very happy to read this.

    Facebook Apps

    7th January 2013
    Facebook Apps
    Facebook Apps

    Thank you for the article, it was very informative, it helped me a lot, I did see Social Server cost money nowadays, they ask 40 pounds ouch!!.

    I did end up finding a website that do give you a Https Url Address for Facebook developers..the BIG difference is they are the cheapest , add free and their Https Facebook Url Address works with any Facebook Tab and Application Iframe Canvas.

    If anyone else need one go to
    https://www.shopactivate.com/FacebookSSLConnection.aspx

    They give you a Https Facebook Address that works with any Facebook Tab and Application Iframe Canvas. you just add their Https address into YOUR Facebook application settings on facebook and they redirect seamlessly users to your application (without any one notice it). I thought I should share this since we all have difficulties with facebook. Good luck!!

    30th March 2013
    Jake
    Jake