I know there are about a hundred questions of this on SO, but none of them are maybe up-to-date with what seems to be happening on facebook platform right now. It seems the switch that turns off SSL is disabled:
It may be hard to see, but the “Enforce HTTPS” toggle is greyed out and can’t be toggled. I’m all for enforcing HTTPS in production, but is everyone who is building against facebook API really setting up an SSL certificate on their local server just for this?
5
Answers
This setting requires HTTPS for OAuth Redirects, and it requires and Facebook JavaScript SDK calls that return or require an access token are only from HTTPS pages. All new apps created as of March 2018 have this setting on by default, and you should plan to migrate any existing apps to use only HTTPS URLs by October 6, 2018.
Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn’t offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let’s Encrypt.
https://developers.facebook.com/docs/facebook-login/security
You can change the App mode to Development Mode from App Dashboard:
In this mode you can only test your application with Facebook test user accounts. You can obtain the test accounts login credentials from your app dashboard.
Please note, http://localhost redirects are automatically allowed while in development mode only and do NOT need to be added in Valid OAuth Redirect URIs section.
Read more about it in this Facebook Blog.
paste this in your client json
"start": "set HTTPS=true&&react-scripts start"
,next copy and enter this in your url bar .
chrome://flags/#allow-insecure-localhost
,and set Allow invalid certificates for resources loaded from localhost to enabled
The most simple way to test your facebook login, since you cannot dissable anymore "Enforce HTTPS" option, is to use ngrok:
Im linux user. After installing it just type at your terminal:
and automaticly will be created a new https domain just for your local project. You will see an ui interface in your terminal and your secure domain will be that who starts with https://
Copy the domain and use it in developers.facebook.com in your app to see if you code is good or not.
If is good its ok keep going until you will host your project on a secure domain.
For more info and docs about ngrok.com see:
ngrok docs
2021 update: Facebook do not allow localhost over HTTP any more. You will need to get your site working locally over HTTPS for testing. This is despite their blog post and the literal Facebook developer console assuring you that they allow localhost over HTTP by default.