Remember to host your Facebook app content securely

Any content you display via a Facebook app or custom tab page needs to be hosted securely over https – meaning a couple of knock on considerations.

I’ve emails/conversations about 2 upcoming Facebook app projects this morning and in both instances the subject of hosting over https:// has raised it’s head (or I’ve raised it, rather!).


Facebook gives it’s Users the option of only viewing Facebook over https / securely. This means that apps and custom tabs – displayed on Facebook in iframes – need to be hosted on https so that Users with this option turned on can view the content.

If you don’t host it over https, Users who don’t have that setting set will see it as intended and not have any issues. But those who have requested to only view things over https won’t be able to see your app / custom tab – and worse still will see an unfriendly message about how the page is insecure.

Of course, it’s not really “insecure” in the sense that it’s going to creep from your computer into your pocket and steal your credit card details and the keys to your car, but the wording can give that effect. So as I assume you don’t want your brand / company associated with an “insecure” message, and you want your app / custom tab to be enjoyed by as many visitors as possible rather than appearing broken to some, you need to get a secure certificate / ensure the content is running on https.


One of the conversations I’ve started this morning is about font files. We’ve been supplied a design which needs building so that it can be used as a Custom Tab App, but it includes a non-standard web font. The client use this font on their website already and as the iframe content is going into their CMS to be hosted there (as long as their CMS can run over https), it makes sense to use their existing webfont files – but it means they need to be available over https.

If the files aren’t available over https, to be honest, I’m not sure what the outcome would be. Worst case scenario the user would see some kind of warning /error message. Best case scenario the app would work fine but the webfont files wouldn’t be accessible to people accepting https only and so we’d give them a fall back font. But from a branding point of view this still isn’t great as many users will be seeing something that doesn’t meet the current brand guidelines.


The other call I’ve had this morning is for a Facebook Custom Tab App which needs to be designed and built in a week.

Now, typically in my experience SSL certificates take from 2 weeks to get. I’ve known some takes much longer. There can be lots of hoops to jump through and the company who issue the certificate need to check you are who you say you are – which for some companies when their parent/holding name is different to the name they’re trading under in this instance can get tricky. Things can go from being a quick phone call to having to be letters between Jordan’s and accountants and the company issuing the certificate, which all takes time.

In the case of my call this morning, I’m going to investigate some options around existing SSL certificates / hosting. But it may be that we need to find a company who can register the certificate extremely quickly!

The Knowledge Base

Our knowledge base is split into categories, with an introdution to various differnt aspects of that category, followed by current topical articles which we constantly add.

Search the knowledgebase