Originally Published on Developers.facebook.com on June 8, 2018 By Brad Hill
To increase the security of apps and websites using Facebook Login, we’re making an important update for the handling of all Facebook Login access tokens. A new “Enforce HTTPS” setting for Facebook Login is now available in your App Dashboard. When turned on, it requires all Facebook Login redirects to use HTTPS, and all Facebook JavaScript SDK calls that return or require an access token to occur only from HTTPS pages.
HTTPS helps keep transmitted information private and helps protect the security of people using your app and Facebook Login. All new apps created since March 2018 have already been required to use this setting, and existing apps and websites using Facebook Login have until October 6, 2018 to opt in before it will automatically be enabled. Any insecure redirect URIs or pages making Login or API calls with the JavaScript SDK from HTTP pages will stop working after that date.
You may have received a developer alert telling you that we’ve already enabled this setting for your app — if you don’t currently use Web OAuth flows, already use only HTTPS URIs, or if all your redirect domains send or preload HTTP Strict Transport Security instructions.
If not all of your URLs are HTTPS or HSTS, we strongly recommend that you update your pages to work over HTTPS and turn on the “Enforce HTTPS” setting in your Facebook Login settings.
You will still be able to use HTTP with “localhost” addresses, but only while your app is still in development mode.
Other features of our JavaScript SDK, such as social plugins, already use HTTPS iframes and do not pass sensitive information back to their embedding pages, so can continue to be used on HTTP pages.
Be sure to enable “Enforce HTTPS” by October 6, 2018 so that your URLs redirect properly. Thank you for helping us protect people’s information on the Facebook platform and in your apps and websites.