On the first of October, Facebook will make another change which could have a significant — and potentially costly — impact to your applications and pages. As part of its latest moves to increase security across the platform, in addition to OAuth adoption they will expect that your canvas applications to be hosted at a secure address (https). If a user browses to your page via https — and millions are beginning to change their settings so that they are — instead of your lovingly crafted content, they’ll see the following warning:
If you go to an application’s settings, you’ll notice a new option, Secure Canvas URL, with the footnote “Required: SSL Cert by October 1, 2011″, pictured below.
In other words, the option is there already to specify a secure URL for your canvas application already, but by October 1st this will be a proviso, and that means you’ll need to install an SSL certificate. This isn’t trivial, and it’s often not cheap — particularly if you have multiple pages /applications over a number of domains, and remember that the cheapest SSL certificates aren’t necessarily supported by every browser. You can read Facebook’s original announcement on their blog, as well as some feedback on the move here. Personally I agree with the developer that in many cases SSL just isn’t necessary — particularly if all you’re doing is displaying external content on a Facebook page. But this is the price for a more secure platform, it seems. There is one possible solution — a website has come to my attention called Social Server, which appears to host a Facebook application for you on a secure server. However I haven’t tried it — if anyone has used it, do let me know in the comments.