In October, Facebook will start requiring that all apps and websites using Facebook Login to use HTTPS. In preparation for that, Facebook has added a new “Enforce HTTPS” setting for its Facebook Login.
To make apps and website using Facebook Login more secure, Facebook will soon be requiring that all apps and website using the feature are switched to HTTPS. The deadline is October 6, 2018 – that’s when HTTP will be automatically enabled for all apps and websites – but up until then, developers can instead enable the “Enforce HTTPS” setting on their Facebook Login Dashboard. When enabled, “it requires all Facebook Login redirects” and “all Facebook JavaScript SDK calls that return or require an access token” to use HTTPS.
Using HTTPS protects the information which is transmitted and helps protect users’ security. Facebook has required that all new apps created since March 2018 use HTTPS, but older apps and websites will have until October 6, 2018, to opt in. After that, it will be automatically enabled. Essentially, the option gives developers some time to switch and test all their systems.
Facebook Software Engineer Brad Hill notes that “you may have received a developer alert telling you that we’ve already enabled this setting for your app — if you don’t currently use Web OAuth flows, already use only HTTPS URIs, or if all your redirect domains send or preload HTTP Strict Transport Security instructions.”
Furthermore, Facebook strongly recommends that developers update pages to work over HTTPS and turn on the “Enforce HTTPS” setting as soon as possible. Developers can also still be able to use HTTP with “localhost” addresses, but only while their app is still in development mode. Finally, social plugins and other features of Facebook’s JavaScript SDK use HTTPS iframes and therefore don’t pass sensitive information back to their embedding pages. Those can continue to use HTTP.
[box]Read next: Facebook Is Making Chatbots Better At Conversations[/box]