Does Facebook SDK require HTTPS?

Question

I am using facebook SDK. I am getting the following error:

Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://

After studying I came to know that I have to set 'Enforce HTTPS' as NO under 'facebook login> Setting> '. But I can not set Enforce HTTPS as NO. Is this problem is from mine? OR I facebook restrict to use https instead of http?

It's forcefully set to YES as it's best practice to use HTTPS. This is enabled by default on all new apps — TommyBs, Mar 21 '18 at 07:18
@TommyBs and what about local development? do you have an ssl certificate running on localhost? this setting is even forcefully enabled when you create a "test app" — phil294, May 01 '18 at 19:54
As per Facebook: "http://localhost redirects are automatically allowed while in development mode only and do not need to be added here." — Adam Reis, Jan 16 '19 at 01:32

Travis Yu · Answer 1 · 2018-11-02T14:45:13.317

19

enable Client OAuth Login and write "localhost:3000" in Valid OAuth Redirect URIs.
Save changes. it will automatically change to https://localhost:3000 , but it doesn't matter...
And set Status: In Development (THIS IS IMPORTANT!)
Then it will work in your http localhost.

edited Nov 02 '18 at 14:45

answered Nov 02 '18 at 14:23

Travis Yu

191
1
4

Setting the status to "In development" (and nothing more) worked for me. Thanks! – Laurent Payot Mar 29 '20 at 16:13
3

@Travis: sir can you tell me how to enable Status: In Development mode? – Kapil Soni Sep 28 '20 at 08:15

score 8 · Accepted Answer · answered Mar 21 '18 at 07:18

8

But I can not set Enforce HTTPS as NO. Is this problem is from mine?

https://developers.facebook.com/docs/facebook-login/security:

Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019.

Sounds to me, like they don’t want you to be able to even start without HTTPS, when you are creating a new app now.

Plus, Chrome has recently announced that they will mark all HTTP sites as insecure soon, from version 68 on, that will be released in July 2018. So you’re gonna have to go HTTPS rather sooner than later anyway.

The “big players” of the industry are currently pushing for this big time, whether we want it or not.

answered Mar 21 '18 at 07:18

CBroe

91,630
14
92
150

Thanks @CBroe. in short- 'no http site can use facebook sdk' OR every http should migrate to https to use facebook SDK. right? – Abdus Sattar Bhuiyan Mar 21 '18 at 07:32
Every website that uses either the redirect login flow, or the JS SDK, for login - so that would be pretty much all of them, yes. (The few login methods not mentioned here are not usually used on websites.) You can still make client-side API calls using the JS SDK on an HTTP page - but anything having to do with login will requires HTTPS. – CBroe Mar 21 '18 at 07:37
11

How can I use facebook login in localhost because when I used in localhost with (Laravel framework) it failed said "Insecure login blocked: you can't get an access token or log in to this app from an insecure page. Try reloading the page as https://" So I'm in the localhost how can I using it? – Kosrat D. Ahmad Apr 10 '18 at 13:25
3

@KosratD.Ahmad by accessing your localhost via HTTPS …? (If you don’t know how to set that up, go research it.) – CBroe Apr 10 '18 at 13:43

score 8 · Answer 3 · answered May 29 '18 at 14:25

8

If you just enable Client OAuth Login and write just localhost:{port} to Valid OAuth Redirect URIs, it will work.

answered May 29 '18 at 14:25

bsmk

1,307
1
14
26

10

This doesn't seem to work anymore unfortunately, automatically maps back to https. – Chris Owens Aug 19 '18 at 14:32

score 2 · Answer 4 · answered Apr 25 '18 at 13:16

2

If you're developing locally with create-react-app, a quick solution is to add

HTTPS=true

to your .env file and just comment it out when you're not testing Facebook login.

answered Apr 25 '18 at 13:16

fisch2

2,574
2
26
29

score 0 · Answer 5 · answered Aug 18 '21 at 02:31

It seems like Business apps do not have app modes and instead rely exclusively on access levels. Because of this, you can't set the app to the "Development mode".

All newly created apps start out in Development mode and you should avoid changing it until you have completed all development and testing.

https://developers.facebook.com/docs/development/build-and-test/

https://developers.facebook.com/docs/development/build-and-test/app-modes

However, if you wanna try out your app in a localhost, you need to create a test app, like you can check out in this thread:

How to fix 'Facebook has detected MyApp isn't using a secure connection to transfer information.' error in Laravel

Does Facebook SDK require HTTPS?

5 Answers5

Linked

Related