One often important, and often overlooked aspect of modern web development is Open Graph tags. You know, those meta tags with weird attributes that break your page validation? That’s a whole other topic though.
Today, I want to talk about the Facebook Object Debugger, and giving it access to an HTTP Auth protected environment, such as a staging or pre-launch production site. This is Apache specific, so nginx fans will have to look elsewhere.
Assume you have this setup in your Apache config or htaccess;
AuthUserFile /var/www/staging/.htpasswd AuthType Basic AuthName "Secure Area" Require valid-user
The easiest way that I’ve found to make this work is to accept based on user agent. I originally tried allowing it based on IP address, but the debugger uses many IP addresses, and after I had added a half dozen I gave up and switched to user agent.
Be aware, that because of this, it’s quite easy for someone to fake their UA and gain access, so I recommend only using this code while you actively use the debugger, and turning it off afterwards. This also prevents leaks if someone pastes the URL into an actual Facebook comment.
AuthUserFile /var/www/staging/.htpasswd AuthType Basic AuthName "Secure Area" Require valid-user # Allow from Facebook SetEnvIfNoCase User-Agent facebookexternalhit.* facebook Order allow,deny Allow from env=facebook Satisfy Any
Check out this page at AskApache for a nice guide to SetEnvIfNoCase.