Back to News for Developers

Meeting the Oct. 1 HTTPS Deadline: Updating Secure URLs via API

September 29, 2011ByMatthew Johnston

Many of you have received an email reminder to support OAuth 2.0 and HTTPS by October 1st. To help Canvas and Page Tab App developers more easily update their Secure URLs, we have pushed changes to admin.setAppProperties that let you set your secure_callback_url and secure_page_tab_url programmatically. You can read the documentation for this API method here. You will need to use an app access token and the secure_callback_url and secure_page_tab_url must be a fully qualified URL beginning with https:// and must point to a directory (i.e., end with a '/') or a dynamic page (i.e., have a '?' somewhere).

For example:

  $app_id = 'YOUR_APP_ID';
  $app_secret = 'YOUR_APP_SECRET';

  // Get an App Access Token
  $app_token_url = ''
    . 'client_id=' . $app_id
    . '&client_secret=' . $app_secret
    . '&grant_type=client_credentials';

  echo '<pre>';
  echo $app_token_url;
  echo '</pre>';
  $app_access_token = file_get_contents($app_token_url);
  echo '<pre>';
  echo $app_access_token;
  echo '</pre>';

  // Set Secure URLs - modify to the appropriate URLs
  $set_url = ''
  . 'properties={"secure_callback_url":"",'
  . '"secure_page_tab_url":""}&'
  . $app_access_token; 

  echo $set_url;

  $set_result = file_get_contents($set_url);

  echo '<pre>';
  echo 'Set result: ' . $set_result . '<br />';
  echo '</pre>';  


We will soon provide this functionality in the Graph API, but wanted to first provide this REST API to help developers meet the October 1st deadline.

FBML apps

We have heard that there is some confusion about whether FBML apps must support HTTPS. FBML developers still need to know whether users are browsing Facebook over a secure connection since they need to detect whether to serve iframe or video content over HTTPS. As a result, FBML apps must obtain SSL certificates in order to serve this type of content to users browsing over a secure connection. If you have an FBML app, please obtain an SSL certificate for your app to receive traffic from users browsing Facebook over a secure connection.

If you enable SSL for your FBML app, please make sure that your SSL certificate includes all intermediate certificates in the chain of trust as our SSL validation is strict. You can use third-party SSL analysis tools (e.g., to check your certificate status and fix any errors (and warnings). If your SSL certificate has problems, you may see "Empty response received" error when you load your FBML canvas app.

Please let us know if you have any questions in the comments below.