Originally Published on Developers.facebook.com on June 8, 2018 By Brad Hill
You may have received a developer alert telling you that we’ve already enabled this setting for your app — if you don’t currently use Web OAuth flows, already use only HTTPS URIs, or if all your redirect domains send or preload HTTP Strict Transport Security instructions.
If not all of your URLs are HTTPS or HSTS, we strongly recommend that you update your pages to work over HTTPS and turn on the “Enforce HTTPS” setting in your Facebook Login settings.
You will still be able to use HTTP with “localhost” addresses, but only while your app is still in development mode.
Be sure to enable “Enforce HTTPS” by October 6, 2018 so that your URLs redirect properly. Thank you for helping us protect people’s information on the Facebook platform and in your apps and websites.