Bypassing Facebook's SSL Requirement for Apps and Page Tabs

On Oct 10, 2011, Facebook required all apps to supply a url beginning with HTTPS in order to provide users with SSL protection.

- Not all developers have their own web hosting and an even fewer portion own SSL certificates.
– You can try inputting a HTTP starting address into the Secure Canvas URL, but nothing will happen if you do.

It’s not like that would work.

- Or you can try inputting a HTTP starting address into the Secure Page Tab URL. Facebook will accept it, but when users with “force HTTPS” on try to view the tab, Facebook wil automatically replace HTTP with HTTPS.


That sure turned out great.
So we have to input a HTTPS url for the app.

Option A: You can purchase or snag a SSL certificate for ~ $50.

Lowdown: Often needs extra money, needs to be paid every year.

Option B: Get a CAcert certificate. May throw scary errors for visitors. Chrome warningIt is not trusted by browsers, but does encrypt the data. Still encrypted

*Lowdown: Does the job, but some users may have reservations. *

When users with HTTPS enabled visit your app, we will load the iFrame using the secure URL you specify. Facebook Developer Blog

Facebook may require a HTTPS url, but it doesn’t mean that we can’t load unencrypted resources or redirect to whole different page afterwords.

Option C: For those whose hosts provide some shared SSL support, it’s easy.
spotty sslUtilize the shared SSL url or whatever steps needed for it. In this example, we’ll use Hostmonster.
We will be attempting to use the page here, on another account, in a facebook app.
Using the spotty shared SSL service, the page may not look good. This is especially the case when the page’s resources are not setup for use with SSL.

So we will need to link every resource using the format that the webhost (Hostmonster) has specified<em>msjasbor</em>/<em>resources</em>/...
The page runs on WordPress and has a theme installed, which makes you hunt down every resource used. Maybe you have something better to do.
In the end, who’s going to want to spy on your activity when you are viewing an ASB website?
Rather than relink everything, we can utilize a .htaccess redirect.

Port 443 is the default port for HTTPS connections. Whenever a server requests info from port 443, we will redirect them to port 80, the default HTTP port.

Here is the text for the .htaccess file that resides IN the directory that the secure url goes to.

Options +FollowSymlinks<br /> Options +SymLinksIfOwnerMatch<br /> RewriteEngine on<br /> RewriteCond %{SERVER_PORT} ^443$<br /> RewriteRule ^(.*)$ <em></em>$1 [R=301,L]

In this case the secure url given to Facebook is
and we redirect it to

pseudo ssl

Some browsers will alert that the connection is only partially encrypted.

*Lowdown: NO ENCRYPTION, but saves hassle and is a quick fix for data that is not sensitive. Apparently the Facebook PHP SDK uses port 443, so redirecting port 443 may impact integration. You may want to let only Facebook traffic through port 443 and let other traffic through port 80. *

Oct 1st, 2011 has long passed and Facebook publicizes the benefits of forcing SSL (when available) for its users. Thinking

Oh, most users probably won’t use SSL.

will not suffice.
Those who have enough computing knowledge to use Facebook apps will have the commonsense to switch over to SSL. Not giving Facebook anything for a secure URL will

display a confirmation page to let HTTPS users switch to HTTP and continue to your app. Facebook Developer Blog

Remember that you use Option C at your own risk, especially when handling data that you would not want strangers to have. Option C is viable if you’re comfortable with the world seeing everything, such as announcements and promotions.

Anson Liu