Facebook App: any way to run the app without SSL? - facebook

I am working on my first app for Facebook and facing (probably) with the SSL problem. If I am testing the app, so it's working well. But then I wanted to test the app by my friend - so I assigned him the role "Tester", he accepted it and I sent him the link to the app.
If he opened the app, he got the error The website is not available - Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error
I started google it and it looks that the cause is the missing SSL certificate on my hosting, where the app is stored.
BUT - how is possible, that the app is working me well without the SSL and to my friend doesn't? If the SSL is required for Facebook apps, why I didn't get the same error?
(I set Secure Canvas URL: to https://example.com/fb-app-directory/, however I don't have at this domain and hosting any SSL certificate).
I never used before SSL. I bought the domain name on Namecheap and hosting on Hostgator. So now, I should buy a SSL certificate from the offer (http://www.namecheap.com/ssl-certificates.aspx) of Namecheap, right?
Would be suitable for the Facebook app the cheapest one?

Look, this SSL problem can only be solved by purchasing a valid SSL certificate or looking for a server which can host your app and is SSL certified such as:
phpfog.com - Provides you with some limited space and database service.
heroku.com - Does not provide any storage space for saving dynamically generated data. To have that service, you have to buy the Amazon buckets service which, again, is a costly affair.
If you don't want to invest any money, I would recommend that you go with phpfog - it is easy and its documentation is pretty good.

You should buy an SSL cert in order for everyone to be able to access your app. Your friend probably has his settings set so that he browses Facebook securely, in this case he is hitting https://example.com/fb-app-directory/, not your actual URL.
The cheapest one isn't the best one, but it should work as long as it's valid. I would suggest using Heroku though, as that way you get everything you need - for free :)

Use a proxy in heroku.com and bring your page in secure domain as https://yourapplication.herokuapp.com/

"Starting October 1, 2011 Facebook will require a valid SSL Certificate for all pages and applications hosted outside of Facebook."
http://www.wpcode.net/fb-ssl.html/
Maybe you are visiting your application with http://apps.facebook.com/... and your friend is visiting with https://apps.facebook.com/....
Another possibility is that your friend has checked "Browse Facebook on a secure connection (https) whenever possible" under "Account Security".

Try ngrok. It exposes a local web server with just one command:
ngrok 80
After this you can access your localhost like this: xxxxxxxx.ngrok.com

Related

How do I get a certificate from Let's encrypt via Certbot on an AWS ec2 server I am planning on using as an email server?

I am trying to set up an email server on ec2 (mostly just for fun) that won't let me set up a certificate. I am using Let's encrypts Certbot because it was what they recommended. I am also hosting a Google site (I am using Google Domains). Issue: My Google site is using *.mysite.com and www.mysite.com, and I think that this is interfering with my attempts to get a certificate. Any feedback would be helpful.
I have opened many a browser tab looking for this answer. I do not know what to search for. As I said above, any feedback would be helpful.
I do not own the actual mysite.com domain. It is just an example. Just want to avoid any confusion. Thanks!

IdentityServer3 bearertoken ignored? if not localhost

For the past couple of years we've been developing a client/server application and it's been working well with us hosting the server and applications. I've recently started work on getting our mobile app to connect and have run into a snag.
The mobile app can login and obtain a token but when it presents that token for an API call Owin is failing to create a valid Principal.
The same API call from our desktop app (running on the same physical machine as the server) has an HttpRequestMessage "MS_OwinContext" property with the Authentication.User field populated. The same call from the mobile does not.
Yet both of them seem to be sending the same API request (different bearer token of course). Alternative can anyone tell me where I might at least start looking or how I could get information from OWIN as to what it's doing? It's also worth pointing out that the mobile app (Xamarin) shares most of its code with the desktop application.
Right now I'm staring at a black box and all I know is that 'it doesn't work'.
Okay the problem was that the server was setting Authority in the bearer options to be localhost. Audience is derived from this so when connecting using the host name validation fails.
The answer appears to therefore not use localhost as part of the authority.

not SSL addresses in PWA?

I am stuck in my PWA application as I need to access informations from a non-SSL url (http). I know that PWA has a strict requirement on this. Is there any workaround or do I simply have to give up?
You can host your PWAs in Firebase. They provision it with SSL certs. Then you can connect your domain to your firebase app. Do not give up just yet.:) there is always a way

Can i use localhost as a URL Callback in a messenger webhook

Good evening, just saw that Facebook released his messenger bot toolkit and i immediately jumped right into it to learn more about it and maybe try to do my own.
My problem is that i don't have a https website running and it requires a https valid url. I tried to use my local web-server that has a certificate but it doesn't work.
My question is if this is possible to be done using a localhost url at all.
Thank you in advance
Actually this is possible with localhost. Use ngrok. It allows you to open localhost to the public web, over http or https. This should only be used for testing however.
If you want to test webhooks on your local environment, I would try ultrahook.com, you can get an API Key for free and the tool creates a tunnel from a public URL to your computer. This is from their FAQs page:
You download and run the UltraHook client on your computer. It
connects to UltraHook servers in the cloud and creates a tunnel from a
public endpoint on our servers to your computer. Any HTTP POST
requests sent to the public end point will be sent through the tunnel
an delivered to a private endpoint accessible from your computer.
I have used it to test webhooks from different providers (like payment gateways). In your computer, you can run something like:
ultrahook <subdomain> http://localhost:8000/webhook/
and then configure the webhook URL in your external service to something like <subdomain>.ultrahook.com
My question is if this is possible to be done using a localhost url at all.
No, of course it isn’t – because what such a “callback” actually means, is that Facebook makes a request to your server – and that is hardly possible with localhost.
A valid SSL certificate for your website is easy to get for free these days, via LetsEncrypt. And even if that is not available on your server, there’s still StartSSL, that provide basic certificates for free. All you need is a server you can install them on, or upload them to, or whatever mechanism your hoster provides for it. (And if they don’t provide any, then it might be time to switch.)

Can't turn off Facebook Secure Browsing

I'm developing a Facebook canvas app. I don't have a SSL certificate so I've been using a plain http:// URL + sandbox mode for the creation and testing process.
Suddenly I realized my Facebook account turned to Secure Browsing mode and I'm unable to turn it off via Account Settings >> Security >> Secure Browsing. There is no "edit" button. None of my co-workers experienced the same problem. Their Secure Browsing option is off, editable and the app is visible. Anyone familiar with the same issue?
If you're testing your app you shouldn't really need to disable HTTPS, nor is that really a representative test if you're using HTTP but almost all your users will be using HTTPS (as is the case with Facebook)
It'd be better to get a free cert from startssl.com or similar free CAs, use OpenSSL to generate an in-house CA or self-signed certs, or accept the certificate warnings from the default cert that ships in your webserver, if any, than to disable the secure browsing option on your Facebook account for this purpose;
As for the option itself in the Facebook setting, that's somewhat off topic for here, and I'm unsure what the exact status is but I believe the option to browse Facebook insecurely is being phased out
Another option for testing is to run a test server with a separate proxy to your production environment (e.g nginx) for test purposes and log all the traffic to that server for debugging