Keeping Users Safe
by Alex Rice - May 13, 2011 at 6:00pm

Earlier this week, we updated our Developer Roadmap to require the use of OAuth 2.0 and HTTPS. These updates are part of a continual process to make our Platform more secure for developers and users. Over the past few days, we received several questions from developers about these updates. We wanted to provide more context around why we are requiring these changes and how we can work together to provide a safer online experience.

As the web evolves, expectations around security change. For example, HTTPS -- once a technology used primarily on banking and e-commerce sites -- is now becoming the norm for any web app that stores user information. We feel that HTTPS is an essential option to protect the security of Facebook accounts, and since Apps on Facebook are an important part of the site, support for HTTPS in your app is critical to ensure user security.

As an app developer, you can help us by:

  • Acquiring an SSL Certificate. Contrary to some feedback we’ve heard, acquiring an SSL certificate is relatively inexpensive, and the ongoing cost of supporting SSL for most apps is low. The sooner your app supports HTTPS the more secure our platform will become. All Apps on Facebook (Canvas and Page Tabs) must support HTTPS by October 1.
  • Reviewing the Authentication guide and implement OAuth. This updated authentication guide walks you through the OAuth 2.0 flow and how to implement OAuth with CSRF protection. Our new OAuth flows provide a more secure and reliable way to obtain access_tokens than our legacy authentication flows. All apps must support the new OAuth flows by September 1.
  • Reviewing our Platform policies. It is your responsibility to stay updated on our current policies in all aspects of your app or website. To make this even easier, we recently created a policy checklist to get you started. Please make sure that your app is not transferring any data (including UIDs or Access Tokens) to third party apps.

We take the safety and security of Facebook users extremely seriously and have been working on a number of different initiatives to keep our shared users safe:

  • Tools for users. Just this week we announced a new partnership with Web of Trust to detect and block bad links, additional clickjacking protection, self-XSS protection and login approvals. This followed our announcement last month of an entire suite of new safety and security tools.
  • Completing OAuth 2.0 as an IETF standard. Last year the industry came together to build the OAuth 2.0 protocol within the IETF. OAuth 2.0 increases security on the Internet by giving people more control over what data can be accessed via APIs. We’ve led the way in implementing OAuth in addition to contributing deeply to the standard itself.
  • Ensuring ad provider quality. We recently updated our policies to require developers to use third-party ad providers who have signed our terms that govern ad quality and data use. This is an important step to give you an easier way to find providers who have committed to protecting user data.
  • A secure signed cookie specification. While we're moving Facebook to use HTTPS, the vast majority of the Internet still sets session cookies in the clear. The MAC Access Authentication specification is a secure session cookie protocol designed to provide cryptographic protection against stealing session cookies transmitted without HTTPS. We’re working with Yahoo!, Google and Mozilla on this specification in order to give all websites a way to ensure that session information has not been altered or tampered with.
  • Improving browser security. We have started discussions with browser vendors around technical solutions to increase security and privacy in the Referer header, which have been a foundational and unchanged piece of the web since the HTTP 1.0 specification in the 1990s.
  • Bridging technology and policy. Beyond technology, the White House and NIST have been working to build a National Strategy for Trusted Identity in Cyberspace. NSTIC is focused on engaging the industry around increasing security and privacy on the web when it comes to signing into websites. We’re working with NIST to share best practices and discuss how OAuth can can contribute to this framework.

We appreciate your help in making the necessary changes to your apps outlined earlier this week and your commitment to create a secure environment for users. If you have any questions, please let us know in the Comments below.