social media how toHeads up, page admins! As of October 1st, Facebook announced that any iFrame page tabs not hosted on a secure server under HTTPS will not be displayed to users browsing under HTTPS. This article will tell you what you need to do.

According to Facebook’s Cat Lee, “The content will not be accessible for users with secure browsing turned on. There will be a page that states something close to: This app does not support secure browsing.”

To help page admins locate a budget-friendly and secure hosting solution for their page tabs, I did some digging and located some great hosting companies offering low-cost secure hosting solutions.

There are certainly others, and I have provided some guidelines for making the right hosting choice. I have also laid out some of the basics of hosting and security certificates.

Facebook and Secure Browsing (HTTPS)

In February, Facebook introduced the “Secure Browsing (HTTPS)” option. Since then, when browsing under HTTPS, any page tab content not hosted securely displays a popup with a warning that the page is not secure. Users have to click on the popup before viewing the tab content.

Page tab creators had the option of providing a “Secure Page URL” to display to HTTPS users. As of October 1, a secure URL is mandatory, and page tabs not hosted securely will no longer be displayed to users browsing under HTTPS.

What Is Secure Browsing (HTTPS) and How Do I Get It?

When a web page is hosted on a server enabled with the SSL (Secure Socket Layer) protocol via a security certificate, content sent between a user’s browser and the server hosting the secure web page is encrypted, and no one can intercept confidential information such as credit card numbers, Social Security numbers or any other information you type into your browser.

All web hosting companies offer security certificates in most of their hosting plans, either a shared SLL certificate, where all sites on a single shared server are sharing a certificate, or a private SSL certificate, available to websites with a unique IP (web address). For Facebook page admins, the shared SSL is a low-cost and workable choice.

Shared SSL Versus Private SSL

If all you need is an affordable option for hosting your page tab’s “index” page (the iFramed page you host yourself), you can consider plans that offer shared SSL on a shared server, which is the cheapest option. Although not a good choice for an e-commerce site, shared SSL is fine for meeting Facebook’s requirement for a securely hosted page. Beware file size restrictions on shared SSL!

In researching this article, I did notice that BlueHost and HostMonster (both owned by the same parent entity) put a file size restriction of 100KB for each embedded file on your page (images, audio, video, etc.) which would be far too restrictive for most iFrame page tabs. But I didn’t see this shared SSL restriction anywhere else.

Some Popular Web Hosts That Offer Low-cost Secure Hosting

The following hosting companies all offer low-cost hosting, and most include a shared SSL option. I did some informal polling on the HyperArts fan page and the following companies stood out.

Note:Bandwidth” is the total amount of data transferred from the server each month and this number increases as your website is accessed more often; “disk space” is the total amount of storage space that is provided for the files associated with your site, including log files and MySQL databases (but not email).

dreamhostDreamHost has been around for years and is generally well-regarded. However, DreamHost doesn’t offer shared SSL, and their phone support, which costs extra, is minimal.

  • Minimum for secure hosting: $14.15/mo. (hosting: $8.95/mo. + private SSL: $1.25/mo. + unique IP: $3.95/mo.)
  • Bandwidth and disk space: unlimited
  • Support: 24/7/365 email support (response within 24 hours), premium support (3 phone callbacks/mo. + unlimited live chat) add $9.95/mo.
  • Hosting Plan Comparison

bluehostBlueHost offers a full array of budget hosting options. Although they offer shared SSL, there is a file size limit on each page of 100KB per included file, and BlueHost warns that “any embedded data (images, audio clips, etc.) larger than 100KB will be truncated.” So this limitation may not work for you.

  • Minimum for secure hosting: $5.95/mo. (with shared SSL)
  • Minimum for private SSL: $12.20/mo. (hosting: $5.95 + private SSL: $3.75/mo. + unique IP: $2.50/mo.)
  • Bandwidth and disk space: unlimited
  • Phone support: 24/7/365
  • Hosting Plan Comparison

hostgatorHostGator is a popular budget hosting company in Texas that’s been around since 2002. They offer several very low-cost hosting plans, including the “Hatchling” plan beginning at $3.96/mo. and the “Baby” plan for $6.36/mo.

  • Minimum for secure hosting: $3.96/mo. (with shared SSL)
  • Business Plan (includes unique IP + private SSL): $10.36/mo.
  • Bandwidth and disk space: unlimited
  • Phone support: 24/7/365
  • Hosting Plan Comparison

lunarpagesLunarpages, although it seems more geared to business-level hosting, does offer a “basic” low-cost hosting package, but no shared SSL.

  • Minimum for secure hosting: $18.15/mo. (hosting: $4.95/mo. + private SSL: $8.25/mo. + unique IP: $4.95/mo.)
  • Bandwidth and disk space: unlimited
  • Phone support: Mon-Fri 7am-7pm PST; Sat-Sun 7am-3:30pm PST
  • Email support: 24/7/365
  • Hosting Plan Comparison

inmotionInMotion Hosting is another popular hosting company that offers the full range of hosting services, including budget packages.

  • Minimum for secure hosting: $5.95/mo. (with shared SSL)
  • Bandwidth and disk space: unlimited
  • Phone support: 24/7/365
  • Hosting Plan Comparison

godaddyAlthough GoDaddy states that its primary business is domain registration, they have also become a popular hosting company, offering the full range of hosting options. Although I tend to like hosting companies whose primary business is hosting, GoDaddy seems to have a pretty good reputation. However, they do not offer a shared SSL plan.

  • Minimum for secure hosting: $14.99/mo. (unique IP + private SSL)
  • Bandwidth: unlimited
  • Disk space: 150GB
  • Phone support: 24/7/365
  • Plan Comparison

hostmonsterHostMonster, located in Utah, has been around since 1996. It appears that HostMonster and BlueHost are owned by same entity, although their prices and offerings differ. Like BlueHost, HostMonster offers shared SSL but has the 100KB file size limitation, which may be a non-starter for those considering this company. They offer just one hosting plan, with optional upgrades and add-ons.

  • Minimum for secure hosting: $5.95/mo. (with shared SSL)
  • Minimum for private SSL: $12.20/mo. (unique IP: + $2.50/mo. + private SSL: $3.75/mo.)
  • Bandwidth and disk space: unlimited
  • Hosting Features

What to Consider When Selecting a Hosting Company

When choosing a hosting company, the devil’s in the details. Here are some things you should consider:

  • How many domains can be hosted under the account? This can range from one to unlimited
  • Does the hosting include free domain registration? Many hosting companies are also registrars and offer a free domain registration when you sign up
  • Does the hosting company offer 24/7/365 phone support? Most, if not all, will offer 24/7/365 email support, but I’m much more comfortable if I can get someone on the phone when my site goes down
  • What are the restrictions on bandwidth and disk space? These days, many plans offer unlimited bandwidth and disk space, or at least very large limits
  • How do different plans compare? For each host, go to their plan comparison page and study it carefully
  • Web host review sites: There are many from which to choose. Web Hosting Geeks is a good one, but there are many others

For more about Facebook Secure Browsing (HTTPS), check out my earlier article on the HyperArts blog.

I would love to respond to any questions or comments you have. Please respond in the comments box below.

Tags: , , , , , , , , , , , , , , , , ,

Get Social Media Examiner’s Future Articles in Your Inbox!

Join 465,000+ of your peers! Get our latest articles delivered to your email inbox and get the FREE Social Media Marketing Industry Report (56 pages, 90 charts)!

More info...
  • Thanks for the info Tim. Wondering what your thoughts are on how this change will affect the older FBML style welcome pages? There are still many of those out there.

  • Hi Kathy,

    This change shouldn’t affect custom page tabs created with the now-deprecated Static FBML app at all. (However, it WILL affect FBML applications — see below!) Content for Static FBML custom tabs is copied to Facebook’s own servers, whereas iFrame page tabs and application canvas pages are hosted external to Facebook’s servers, thus the security requirement.

    However, I would still convert your Static FBML tabs to iFrame tabs sooner rather than later, before Facebook finally pulls the plug on them.

    You might read my detailed article on SSL secure hosting and Facebook page tabs on the HyperArts blog.


  • Pingback: Oct 1: Facebook to Require Secure HTTPS Hosting – What to Know | HyperArts()

  • The same thing came to my mind also, being a developer for FBML applications I once thought it can be a little complicated & this might effect the Face Book applications.

  • Well, it’s a different story for FBML *applications* …. You should read this Facebook Developer Blog article on how this affects FBML apps and what they recommend, which is basically:

    “FBML developers still need to know whether users are browsing Facebook over a secure connection since they need to detect whether to serve iframe or video content over HTTPS. As a result, FBML apps must obtain SSL certificates in order to serve this type of content to users browsing over a secure connection. If you have an FBML app, please obtain an SSL certificate for your app to receive traffic from users browsing Facebook over a secure connection.”

    There’s also a detailed HTTPS article on the HyperArts Blog.

  • Good to know. Looks like I might have to make some changes in the very near future. Thanks for the heads-up Tim and instructions.

  • Thank you Tim. Great info!

  • risefromyourgrave

    Tim, can I post at my personal site, translating it to Portuguese, and giving the proper credits?

  • This would be up to the Social Media Examiner, not me. So you should check with them.

  • Hey Tim, thanks so much for the info! I noticed in your post How to Prepare for Facebook’s Secure Hosting HTTPS Requirement you said the following:
    “IMPORTANT: If you’re using a tab-creation app like TabPress, Static HTML or Lujure, you don’t have to worry about any of this. Those and the other apps like them should have already taken care of this. I know the above-mentioned have.”I use Static HTML, so I’m hoping I don’t have to do anything! 🙂 But on the Static HTML FB page, I noticed this discussion which took place yesterday. In it, Tim said:

    “We are providing SSL image hosting & an image-manager accessible within the app by Oct. 1st – Currently our app has SSL & hosts text/code specifically.
    – To host images and videos for free with SSL check out, and of course 
    – After Oct. 1st, pages will need all SSL hosted content for users to see the page without having to click “View in HTTP” 
    – In a nutshell, if you don’t have all SSL hosted content, users will have to click an extra button to view your page. ”
    I’m thinking I’m missing something here. Do I need to do something or maybe I don’t?

    Thanks, Tim!

  • Dari0

    Thanks for the info, Tim! Any word on what will happen to landing pages with content hosted by apps like Wildfire, Involver, TabPress, etc.? These usually just provide you with an HTML field for your content. 

  • Hi Dario, As I mention in my article on the HyperArts Blog, iFrame page tab apps like Wildfire, TabPress, Static HTML, etc.. should be fine. They are responsible for conforming their apps to the HTTPS requirement and the ones I’m aware of have. I certainly know that TabPress has!

    HOWEVER, also make sure that any files you include in your TabPress or other app are called with the “https” protocol, and NOT “http”:


  • Great information! We use Godaddy with some of our clients and really like them. Their customer service has been great!

  • Hi Amy. If you use TabPress or Static HTML or any other page-tab app, any images or files you “call” into the page will have to be hosted securely and referenced with “https” and not “http”. Examples:

    Where “your-image.jpg” and “style.css” are hosted on a secure server.

    I’ve written about using Amazon’s S3 cloud service, which is very inexpensive, for assets you incorporate on page tabs.

    And you can check with your own hosting company to see if they offer Shared SSL.

    So what I meant is that the actual secure hosting of the index page for iFrame tabs created with apps like TabPress is already taken care of. BUT any assets pulled into those pages also have to be hosted securely and called with the “https” protocol.

  • Ah, gotcha. Yes, that makes sense. Thanks!

  • Pingback: How to Move Your Facebook Tabs to Secure Hosting Required by Facebook |

  • Hi Tim – we just launched our Facebook Pages Publishing Platform that has SSL security from the get go for Facebook Page owners.  You get your hosting, SSL, the Facebook app, fan gate etc – and we did it all on WordPress.

  • Hi Tim, thanks for the info. I currently have many clients still on the old FBML custom landing pages and I will take your recommendation to move them to iframes sooner rather than later. Thanks for that. As a precautionary measure in the meantime, I have uploaded the images used on those pages to my secure site just in case.

    I also have several clients who have custom landing pages using the iframe app and I installed their files on my secure site to meet Facebook’s requirement. I need to be clear on one thing however. On these pages, we have outbound links to the client’s website. Since the client’s site is not secure, I need to be sure there will be no ‘error’  when people attempt to access them. I believe this is a browser issue not a Facebook issue, correct?

    Finally, if I can offer some feedback on the hosting companies you have listed, I have most of my clients on Hostgator. They have fantastic customer support, are reasonably priced and are also GREEN. For anyone who is eco-minded, this hosting company is a great choice.

  • Deb

    What about embedding YouTube videos, since YouTube isn’t secure? Even using Involver, my YT videos have disappeared.

  • careymsd

    Thanks Tim for your simple and informative explanation. So my question is would you need to gather all your past images and move them to a secure host and then repost? Also can you put your images into say Flickr or a Google site and link from there?


  • Deb

    Nevermind. My videos are showing up now. Must have been a glitch.

  • DonnaGilliland


    You did an OUTSTANDING job writing this article. Wonderful, concise and helpful information. My goodness Tim, did you stay up all night on this one. This is a great deal of research. 


  • You can also get a free shared SSL certificate from Social Server.  I’ve been testing it and it seems to work great.

  • Hyperlinks from an iFrame page tab to external sites can be plain “http” and that won’t be an issue. The issue arises when a secure page contains content that has been incorporated with an <img> tag or <link> tag, etc.

    But outbound links aren’t affected.

  • This HTTPS requirement definitely pertains to embedded YouTube videos, and I believe YouTube does support “https” for embedding its videos.

  • @GimmeABoost

    We’ve used HostGator for years and wholeheartedly recommend them to all our clients. Can’t beat 24/7 chat tech support!

  • You have to have your images hosted on a secure server and call them into your page tab using “https”. As long as where they’re hosted supports “https” you’re good.

  • Thanks Donna! Yes, these articles do take a fair amount of time to research and write. I appreciate your appreciation!

  • Tara Husband

    I have been using Tabsite for months and when I build with them my information is secure.  Tabsite posted once again today that they have been secure for months.  Whenever I have built from scratch a Facebook welcome page they didn’t last or work on every browser or there was some kind of trouble.  Facebook has been heading in this direction for awhile.  

    If you are using a platform like Tabsite to build a site, there is a great chance the welcome pages are already secure.

    Tara Husband

    P.S.  It would be very helpful if Facebook would handout a list of changes and Best Practices.  Oct. 1st is a very quick deadline.

  • Perfect Tim, thanks 🙂

  • Deb

    Hi Tim, Yes, it does. When you go to embed a YouTube video on your page, under the embed code there’s an option “use HTTPS”. That works! Thanks for your reply.

  • Reggie

    Great post Tim,

    I’m seeking hosting, but won’t be ready to launch until after Oct. 1st so this was timely.

    Anyway, has anyone had any experience “Host The Name” web hosting? 

    I just got off a chat after reading this post.  According to them they offer both shared and private SSLs, but I had not even heard of them before   a mention of them on the Warrior Forum.

  • Pingback: Yes we do have https – secure your iframed content on Facebook | Pholiofy()

  • Thanks Tara. Yes, all such tab-creation apps have been secure since Facebook began to again support iframes and instituted the HTTPS requirement which up to now has displayed insecure content after a user who’s browsing under HTTPS clicks through the warning pop up.

    The closest Facebook comes to “a list of changes” is the Developer Roadmap and the Developer Blog.

    As for the best practices, that’s what I and a gazillion other bloggers write about 🙂

  • As for finding a reliable hosting company, MAKE SURE you do your due diligence and select a company that’s been around for a while, gotten good reviews, etc.

    The latest horror story is Hosting Revolution, a hosting company with lots of customers that totally disappeared, and the customers lost everything. You can read this sad tale here.

  • A.

    Where do you get the actual code info if you built your iframe tabs in Shortstack? Its not like I have html pages for these tabs, they are all created with their program and images I insert. I have no idea how to save these. Help!

  • Susan

    I will just say that Facebook giving us like 1 day to make a switch is truly insane! There is no way I can tackle this so quickly. Very wrong to spring it on us. – Susan

  • Jelle Kaldenbach

    I used the hostgator option for this, their support is awesome! It’s like the best hosting company out there for me :).

    There’s also a free way to do this, by using the shared SSL from hostgator: go to their support for more info about this!

  • Tim – does any of this apply to regular status posts that link to your website — not using an app — just regular posts pulling in your website blog posts.

  • Pingback: facebook for business changes, facebook updates | Quality Worldwide Online Development | eCommerce | Volusion updates management and design()

  • Pingback: How to Move Your Facebook Tabs to Secure Hosting Required by Facebook | Social Media Examiner – VAVAVoomph()

  • Pingback: K E E E O – WEB 2.0 HUB » How to Move Your Facebook Tabs to Secure Hosting Required by …()

  • Hi Tim, does this mean that any links inside an app like Wildfire or Static HTML (ie. links to our website) have to have the https in front of them? Am just trying to get my head around the technicalities. cheers, Cas.

  • Pingback: Moving Your Facebook Fan Page Tabs to Secure Hosting - | Adventures in Blogging()

  • shirleywilsonsocial

    So if I have installed an ssl certificate on my own web site and are hosting my fan page files/images there I’m good right?

  • Jelle Kaldenbach

    Yep! Then you’re fine :). You will need to fill in the “Secure Canvas URL” at the application-page. When you don’t know what that means, reply and I’ll help you out ^_^

  • Excellent overview Tim!

    We’ve have our SSL in place at iLocal Search for a few months now. It was nice and easy with HostGator and we’re very clued up on SSL ourselves too. 🙂

  • shirleywilsonsocial

    Hi, thanks so much for your response. So I’m using static html and I don’t see a field to fill in for Secure Canvas URL. I’m just including the https in the img link. Can you help me out with the “secure canvas url” you suggested? Thanks again for the great article. 

  • Yes, or just read about it in this post, above. I included Hostgator and their Shared SSL offering with a link to their hosting plans. But thanks for the backup, Bedrijf!

  • No, Phyllis, it doesn’t apply at all to status posts.

  • No, you don’t have to use the “https” protocol for outbound links. If the site you’re linking to isn’t hosted with an SSL certificate, the link wouldn’t work.

  • Hi Shirley. Yes, you’re good. Just make sure any other content called into your tab’s page — JavaScript, CSS, images, embedded video — uses “https” and not “http”.

    For more details on the HTTPS requirement, you can read my article on the HyperArts Blog.

  • Shirley, if you’re using the Static HTML app, then you don’t have to worry about “Secure Canvas URL”. That’s a setting when you, as a Facebook developer, create your own tab. Apps like TabPress and Static HTML have taken care of the HTTPS requirement for the tab itself.

    However, as I mention above, you have to make sure that images and video you embed use the “https” protocol:

    When embedding YouTube videos, make sure to tick the “Use HTTPS” option after clicking the Embed button. YouTube provides detailed instructions on HTTPS and embedded videos.

  • Hi Susan. Actually, Facebook announced the October 1 deadline for secure tabs back in early May and kept it in front of developers on the Developer Roadmap.

    To avoid being surprised by Facebook changes, you might want to subscribe to the Developer Blog and also keep an eye on  the Developer Roadmap, where Facebook keeps us informed of upcoming changes and new features.

    And, of course, subscribe to the Social Media Examiner and the HyperArts Blog!

    Also, the HyperArts Fan Page is a great place to keep up to date on Facebook changes and get help from the community of users there.

    And the Social Media Examiner Fan Page is another great resource for real-time Facebook news.

  • Awesome post Tim, thanks

  • shirleywilsonsocial

    Thanks so much! Will do!

  • Pingback: Something for the Weekend: 1st October 2011 | Secret Women's Business Network()

  • Jichel Stewart

    Actually your article is timely.   I spent a considerable amount of time searching FB for an iFrames app I had posted.  Ironically the same client site needed an SSL Certificate for her shopping cart so I was able to purchase, through GoDaddy under a shared plan….They are a bit pricier and even the single plan has increased by $20 over the past months, but the shared plans cover SSL’s for up to 5 domains.

  • Hi Tim, thank you for this.  I admin several pages.  Will your info be discussed during the Social Media Summit?  I need a bit of help to make sure I’ve got this right, thank you!

  • I wrote about this earlier last week ( and the one thing you seemed to leave out was the requirement for the use of the signed_request parameter and the use of OAuth2.0, which are important to note for folks who may have created their own app to feature their page.  My understanding was that all of these features had to be in place in order to be compliant with the 10/1 change.

  •  SO Tim how you cope with such issue?

  • Thanks for pointing out the OAuth 2.0 and signed_request issue. I’m aware of that, Mike, but for this article I was focusing on the HTTPS as it affects page-tab creators rather than application developers.

    Developers can read about the changes that affect them here.

  • Tony

    Hi Tim,

    That you for this very informative article.  I am a bit of a newbie to all this language and Im hoping you can clear up something for me.  If I was to use an app like pagemode which already charges a fee to ahve multiple tabs, do I then have to pay extra to have it hosted somewhere or would that be included in the price?  Any help would be much appreciated.

    Many thanks,


  • LET THE BUYER BEWARE. I would NEVER recommend something like that link promises. Particularly to save a few bucks a month, and RISK having your SSL certificate disappear when this guy’s One In A Life Offer gets shut down. Sleezy.

  • Thank you.

  • Pingback: Mashup: Things You Need to Know About Facebook()

  • Pingback: An overview of the latest facebook changes for business pages | Support A WAHP()

  • Pingback: The Source » October 2011: Trendwatch()

  • Pingback: Facebook Changes Explained And How They Affect Business Marketing (Part 2) | Social Media Marketing Company | Training, Consultant, Services()

  • Jonathan Elano

    In continuing my review of what you said, it seems that in using the shared certificate, you will somehow need to clone your WP installation and somehow recreate it as a new installation with your original URL now that the original installation will use the “funky” secure url for Facebook needs.

  • David

    I know this is probably a dumb question, but I was informed of a message saying that my FB fans/visitors would no longer be able to use 3 of my apps that haven’t been updated to secure browsing (Photos, Discussion Boards, and Static FBML apps). My question is, is that since I am not the developer of these apps, will they automatically update to the secure browsing (https), will this change affect what my users can view and how I should do this if it will block my users from those apps?

  • Pingback: Facebook: How Can You Keep Hitting the Proverbial Moving Target? | social media services()

  • Pingback: 5 Require Hosting Sites | Best Hosting Companies()

  • Pingback: Blog Hosting Review » 10 Hosting Required Sites()

  • Pingback: How to Create a Facebook App for your Timeline Page Tab | HyperArts()

  • Pingback: When Facebook Users Opt for Secure Browsing, What Do They See on Non-Secure Page Tabs? | HyperArts()

  • Pingback: Facebook Business Marketing Links, 10-7-11()