jmhobbs

Let the Facebook Object Debugger Into Staging

One often important, and often overlooked aspect of modern web development is Open Graph tags. You know, those meta tags with weird attributes that break your page validation? That's a whole other topic though.

Today, I want to talk about the Facebook Object Debugger, and giving it access to an HTTP Auth protected environment, such as a staging or pre-launch production site. This is Apache specific, so nginx fans will have to look elsewhere.

Assume you have this setup in your Apache config or htaccess;

AuthUserFile /var/www/staging/.htpasswd
AuthType Basic
AuthName "Secure Area"
Require valid-user

The easiest way that I've found to make this work is to accept based on user agent. I originally tried allowing it based on IP address, but the debugger uses many IP addresses, and after I had added a half dozen I gave up and switched to user agent.

Be aware, that because of this, it's quite easy for someone to fake their UA and gain access, so I recommend only using this code while you actively use the debugger, and turning it off afterwards. This also prevents leaks if someone pastes the URL into an actual Facebook comment.

AuthUserFile /var/www/staging/.htpasswd
AuthType Basic
AuthName "Secure Area"
Require valid-user

# Allow from Facebook
SetEnvIfNoCase User-Agent facebookexternalhit.* facebook
Order allow,deny
Allow from env=facebook
Satisfy Any

Pretty easy!

Check out this page at AskApache for a nice guide to SetEnvIfNoCase.