On Oct 10, 2011, Facebook required all apps to supply a url beginning with HTTPS in order to provide users with SSL protection.
- Not all developers have their own web hosting and an even fewer portion own SSL certificates.
– You can try inputting a HTTP starting address into the Secure Canvas URL, but nothing will happen if you do.
- Or you can try inputting a HTTP starting address into the Secure Page Tab URL. Facebook will accept it, but when users with “force HTTPS” on try to view the tab, Facebook wil automatically replace HTTP with HTTPS.
Option A: You can purchase or snag a SSL certificate for ~ $50.
Lowdown: Often needs extra money, needs to be paid every year.
Option B: Get a CAcert certificate. May throw scary errors for visitors. 
It is not trusted by browsers, but does encrypt the data. 
*Lowdown: Does the job, but some users may have reservations. *
When users with HTTPS enabled visit your app, we will load the iFrame using the secure URL you specify. Facebook Developer Blog
Option C: For those whose hosts provide some shared SSL support, it’s easy.
Utilize the shared SSL url or whatever steps needed for it. In this example, we’ll use Hostmonster.
We will be attempting to use the page here, on another account, in a facebook app.
Using the spotty shared SSL service, the page may not look good. This is especially the case when the page’s resources are not setup for use with SSL.
So we will need to link every resource using the format that the webhost (Hostmonster) has specified
https://secure.hostmonster.com/~<em>msjasbor</em>/<em>resources</em>/...
The page runs on WordPress and has a theme installed, which makes you hunt down every resource used. Maybe you have something better to do.
In the end, who’s going to want to spy on your activity when you are viewing an ASB website?
Rather than relink everything, we can utilize a .htaccess redirect.
Port 443 is the default port for HTTPS connections. Whenever a server requests info from port 443, we will redirect them to port 80, the default HTTP port.
Here is the text for the .htaccess file that resides IN the directory that the secure url goes to.
Options +FollowSymlinks<br />
Options +SymLinksIfOwnerMatch<br />
RewriteEngine on<br />
RewriteCond %{SERVER_PORT} ^443$<br />
RewriteRule ^(.*)$ <em>http://msjasb.org/clubportal</em>$1 [R=301,L]
In this case the secure url given to Facebook is
https://secure.hostmonster.com/~msjasbor/clubportal/
and we redirect it to http://msjasb.org/clubportal
Some browsers will alert that the connection is only partially encrypted.
*Lowdown: NO ENCRYPTION, but saves hassle and is a quick fix for data that is not sensitive. Apparently the Facebook PHP SDK uses port 443, so redirecting port 443 may impact integration. You may want to let only Facebook traffic through port 443 and let other traffic through port 80. *
Oct 1st, 2011 has long passed and Facebook publicizes the benefits of forcing SSL (when available) for its users. Thinking
Oh, most users probably won’t use SSL.
will not suffice.
Those who have enough computing knowledge to use Facebook apps will have the commonsense to switch over to SSL. Not giving Facebook anything for a secure URL will
display a confirmation page to let HTTPS users switch to HTTP and continue to your app. Facebook Developer Blog
Remember that you use Option C at your own risk, especially when handling data that you would not want strangers to have. Option C is viable if you’re comfortable with the world seeing everything, such as announcements and promotions.
