Enabling HTTPS

The HTTPS protocol provides greater security for your websites that use Facebook Login. By encrypting communications, it safeguards the privacy and integrity of the information exchanged.

Reasons to Enable HTTPS

  • Using HTTPS for your site is often free, fast and can even boost your search engine rankings.

  • Google Chrome marks sites without HTTPS as "Not secure." Upgrading to HTTPS is an important step in establishing and maintaining customer trust.

  • Facebook will soon require all uses of Facebook Login on the web, including API calls with our JavaScript SDK, to happen exclusively from pages served over HTTPS. This protects user access tokens from disclosure on the network, keeping people's data and your application's authenticated sessions more secure.

How to Enable HTTPS

  1. To enable HTTPS, use a certificate authority to get a certificate identifying your website.

  2. Install that certificate on your web server and configure TLS. There are number of free tools available for popular web hosting providers and platforms that can automate most or all of this process in many common situations.

  3. After you've enabled HTTPS for your site, you'll need to test and make sure everything works as expected. The Upgrade Insecure Requests HTTP header can you help automatically fix the most common issues encountered during an upgrade.

Recommended Certificate Authority

Let's Encrypt is a free, automated and open certificate authority recommended and supported by Facebook.

For Web Hosting Services

Let's Encrypt integrates with more than 100 web hosting providers. If you don't see your provider listed below, check to see if your provider supports Let's Encrypt. If you have shell access to your server, you can usually follow the steps for using Let's Encrypt for self-hosted websites, even if you don't find your hosting provider listed on this page.

For Self-Hosted Websites

If you host your own website, Let's Encrypt provides automated tools to obtain and install a certificate for a variety of operating systems and web server software. If you're configuring your own web server, a useful tool is Mozilla's SSL Configuration Generator.

Popular Web Hosting Providers and Platforms

If you're deploying your application with a cloud hosting provider, many provide support for HTTPS as part of their core service offerings. You can often enable it through the administrative tools you're already using.

Here are links for some of the most popular hosting providers offering integrated support.

Amazon Web Services

The AWS Certificate Manager provides free and integrated management and deployment of SSL/TLS certificates for AWS resources such as Elastic Load Balancers, Amazon CloudFront distributions and more.

Microsoft Azure

The Azure Portal has built-in support for purchasing and installing a commercial certificate. It's also possible to use an automatically renewing, free certificate from Let's Encrypt with an unofficial site extension.

IBM Cloud

The IBM Cloud Certificate Manager provides a free tool to manage many of the configuration tasks associated with certificate management and service configuration. You'll need to obtain your own certificates for custom domains from a certificate authority such as Let's Encrypt.

Google App Engine

Google App Engine offers HTTPS support with globally distributed and load-balanced endpoints and can be enabled automatically with free, managed certificates. Learn how to enable HTTPS for your custom domains in Google App Engine.

Alibaba Cloud

The Alibaba Cloud SSL Certificates Service allows customers to directly apply, purchase and manage SSL certificates on Alibaba Cloud.

Heroku

Automated Certificate Management automatically manages TLS certificates for apps with Hobby and Professional dynos on the Common Runtime, and for apps in Private Spaces that enable the feature.

Other platforms:

Enabling HTTPS through a CDN

If you're using a Content Delivery Network (CDN), they may have managed offerings to assist you in deploying HTTPS, such as Cloudflare's one-click SSL or Akamai's secure CDN.

Testing Your Site and Fixing Common Issues

For a page to be secure, all the parts that make it up must load over HTTPS. If your site doesn't work or the browser is showing warnings after installing your certificate and configuring your web host to support HTTPS, you probably have mixed content. This happens when a secure page tries to load insecure things. For example, from an HTTPS page, browsers display a warning when loading media like <img src="http://example.com/test.png">, and will completely block scripts and other active content loaded insecurely, such as <script src="http://example.com/sdk.js">.

There are a few ways to fix this, such as using a script or a rewrite rule to update link paths across your site. But the easiest fix is to use the upgrade insecure requests feature of Content Security Policy.

You can do this by setting the following HTTP header:

Content-Security-Policy: upgrade-insecure-requests

Or by adding the following tag to the <head> of your HTML resources:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

The web browser will automatically attempt to request all resources in the document securely. You should still test your site after applying this directive, in case some resources you depend on are not available over HTTPS and fail to load.

If you're using a CDN service to upgrade your site to HTTPS, it may automatically provide link rewriting services to avoid mixed content and other issues. If modifying your site is difficult for your business, a CDN service like Cloudflare's one-click SSL may be a cost-effective way for you to deploy HTTPS with little technical expertise required.