Likes UP: Facebook Security on Pages HTTPS October 1, 2011 deadline
- October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.
We believe these changes create better and more secure experiences for users of your app. A migration plan below outlines the potential impact on your apps.
The signed_request parameter is utilized to share information between Facebook and app in a number of different scenarios:
- A signed_request is passed to Apps on Facebook.com when they are loaded into the Facebook environment
- A signed_request is passed to any app that has registered an Deauthorized Callback in the Developer App whenever a given user removes the app using the App Dashboard
- A signed_request is passed to apps that use the Registration Plugin whenever a user successfully registers with their app
This HMAC signature ensures that the data you are receiving is actually sent by Facebook. It is signed using your app secret which is only known by you and Facebook. Without this secret, third parties cannot modify the signed_request parameter without also invalidating its contents.