Likes UP: Facebook Changes to Pages – October 1, 2011 Security Compliance Required

Likes UP:  Facebook Changes to Pages – October 1, 2011 Security Compliance Required

Facebook announced a major change which will be implemented in October 2001.

A valid  SSL Certificate for Facebook Pages will be mandatory from 1st October 2011 if the Page has customization.  

So what does this mean for the Facebook Page owner and the Facebook Page visitor?


If you want a custom page tab “Welcome Tab” you’ll need a security certificate (SSL)

What is a SSL Certificate?
SSL is the standard abbreviation for a Secure Socket Layers. In a nutshell SSL encrypt information as it is transferred across the internet. The issue of the SSL Certificate is proof that a domain is protected by a SSL and is secure.

Generally a SSL Certificate is valid for 1 year minimum and can’t be refunded.  You purchase it through your hosting company.  Your SSL Certificate must be renewed and when you renew SSL, you must also reinstall a new certificate, so the purchase of a SSL Certificate valid for over one year can save time.

  • Starting October 1st  2011 your Facebook Page will have to be served through HTTPS as opposed to just HTTP (that makes it secure).
  • You will have a valid SSL certificate on your hosting.
  • You will need to complete the “Secure Canvas URL” and “Secure Tab URL” fields in the Developer App with the corresponding information.
  • If you are using a 3rd party app for your Facebook Page customization the platform used to host your Page must have a valid SSL certificate.

HTTPS:  https, or secure http, was developed by Netscape to allow authorization and secured transactions.

In many ways, https is identical to http, because it follows the same basic protocols. Use of https in a URI scheme rather than http indicates that an encrypted connection is desired.

Encryption refers to algorithmic schemes that encode plain text into non-readable form or cyphertext, providing privacy. The receiver of the encrypted text uses a “key” to decrypt the message, returning it to its original plain text form. The key is the trigger mechanism to the algorithm.


Secure Page Tab URL will be required on October 1, 2011

Facebook will not allow to add a new app that doesn’t have a Secure Tab URL (https)
This secure tab, often called a “WELCOME TAB” must show https:// in the URL

Prior to October 1, 2011, you may see a message to turn off secure browsing to get to a page that is not Facebook Security Compliant:


For more information go to:  Facebook Developer Roadmap

Facebook Developer Roadmap Overview (excerpt)

In the spirit of openness and transparency, we publish this roadmap to help developers plan for changes that may require code modifications. Like all roadmaps, it may shift slightly, but we will share insight into what is happening as details become available.



Canvas Apps and Page Tabs: No new FBML apps

March 11, 2011 Competed: We will stop allowing new FBML apps, but will continue to support existing FBML tabs and apps. Instead, we recommend using iframes.

October 1, 2011

1. OAuth 2.0 Migration

As (Facebook) we announced in May, all apps must migrate to OAuth 2.0 for authentication and expect an encrypted access token. The old SDKs, including the old JS SDK and old iOS SDK will no longer work.

2. Apps on Facebook Authentication and security migration (HTTPS)

All Canvas and Page tab apps (that are not using FBML) must convert to process signed_request (fb_sig will be removed) and obtain an SSL certificate for use in ‘Secure Canvas URL’ and ‘Secure Page tab URL’ (unless you are in Sandbox mode). You must provide an SSL certificate in the Dev App settings to avoid having your app disabled.

3. Auth.promotesession deprecation

This method is deprecated and will be removed.

4. manage_pages permission required to access user accounts (/me/accounts)

We are modifying access to the FQL page_admin table and the endpoint. Previously, with basic permissions granted, an app could go to this endpoint or the FQL table to access the list of a user\’s apps and Pages. We are going to require that apps have the manage_pages permission in order to obtain access to this information.