The HTTPS protocol provides greater security for your websites that use Facebook Login. By encrypting communications, it safeguards the privacy and integrity of the information exchanged.
Using HTTPS for your site is often free, fast and can even boost your search engine rankings.
Google Chrome marks sites without HTTPS as "Not secure." Upgrading to HTTPS is an important step in establishing and maintaining customer trust.
Facebook will soon require all uses of Facebook Login on the web, including API calls with our JavaScript SDK, to happen exclusively from pages served over HTTPS. This protects user access tokens from disclosure on the network, keeping people's data and your application's authenticated sessions more secure.
To enable HTTPS, use a certificate authority to get a certificate identifying your website.
Install that certificate on your web server and configure TLS. There are number of free tools available for popular web hosting providers and platforms that can automate most or all of this process in many common situations.
After you've enabled HTTPS for your site, you'll need to test and make sure everything works as expected. The Upgrade Insecure Requests HTTP header can you help automatically fix the most common issues encountered during an upgrade.
Let's Encrypt is a free, automated and open certificate authority recommended and supported by Facebook.
Let's Encrypt integrates with more than 100 web hosting providers. If you don't see your provider listed below, check to see if your provider supports Let's Encrypt. If you have shell access to your server, you can usually follow the steps for using Let's Encrypt for self-hosted websites, even if you don't find your hosting provider listed on this page.
If you host your own website, Let's Encrypt provides automated tools to obtain and install a certificate for a variety of operating systems and web server software. If you're configuring your own web server, a useful tool is Mozilla's SSL Configuration Generator.
If you're deploying your application with a cloud hosting provider, many provide support for HTTPS as part of their core service offerings. You can often enable it through the administrative tools you're already using.
Here are links for some of the most popular hosting providers offering integrated support.
The AWS Certificate Manager provides free and integrated management and deployment of SSL/TLS certificates for AWS resources such as Elastic Load Balancers, Amazon CloudFront distributions and more.
The Azure Portal has built-in support for purchasing and installing a commercial certificate. It's also possible to use an automatically renewing, free certificate from Let's Encrypt with an unofficial site extension.
The IBM Cloud Certificate Manager provides a free tool to manage many of the configuration tasks associated with certificate management and service configuration. You'll need to obtain your own certificates for custom domains from a certificate authority such as Let's Encrypt.
Google App Engine offers HTTPS support with globally distributed and load-balanced endpoints and can be enabled automatically with free, managed certificates. Learn how to enable HTTPS for your custom domains in Google App Engine.
The Alibaba Cloud SSL Certificates Service allows customers to directly apply, purchase and manage SSL certificates on Alibaba Cloud.
Automated Certificate Management automatically manages TLS certificates for apps with Hobby and Professional dynos on the Common Runtime, and for apps in Private Spaces that enable the feature.
If you're using a Content Delivery Network (CDN), they may have managed offerings to assist you in deploying HTTPS, such as Cloudflare's one-click SSL or Akamai's secure CDN.
For a page to be secure, all the parts that make it up must load over HTTPS. If your site doesn't work or the browser is showing warnings after installing your certificate and configuring your web host to support HTTPS, you probably have mixed content. This happens when a secure page tries to load insecure things. For example, from an HTTPS page, browsers display a warning when loading media like <img src="http://example.com/test.png">, and will completely block scripts and other active content loaded insecurely, such as <script src="http://example.com/sdk.js">.
There are a few ways to fix this, such as using a script or a rewrite rule to update link paths across your site. But the easiest fix is to use the upgrade insecure requests feature of Content Security Policy.
You can do this by setting the following HTTP header:
Content-Security-Policy: upgrade-insecure-requests
Or by adding the following tag to the <head> of your HTML resources:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
The web browser will automatically attempt to request all resources in the document securely. You should still test your site after applying this directive, in case some resources you depend on are not available over HTTPS and fail to load.
If you're using a CDN service to upgrade your site to HTTPS, it may automatically provide link rewriting services to avoid mixed content and other issues. If modifying your site is difficult for your business, a CDN service like Cloudflare's one-click SSL may be a cost-effective way for you to deploy HTTPS with little technical expertise required.