Here’s a short story; When I develop Facebook web apps, I do it under a password protected development site. Facebook hates this. It complains that it can’t reach urls, it can’t get meta data, it can’t do this, it can’t do that. The downside to not having a password is the fact that anybody can hit the site. (sandboxing is almost useless, these days.)
So, the quick solution: Allow Facebook to hit it, but only via their external meta data scraper.
A quick edit (well, not so quick, it was something obscure.) of my .htaccess rules, and voila! Facebook can debug and people still can’t hit it (easily)
SetEnvIf User-Agent ^facebookexternalhit.*$ Facebook=1 AuthType Basic AuthName "Art & Science DEV Server" AuthUserFile /home/dclarke/www/dev/.htpasswd Require valid-user order allow,deny Allow from env=Facebook Satisfy Any
First, set an environment variable based on if it is the Facebook user agent. Then, allow access. The key here is the ‘satisfy any’ line, which means you can get in if you have a user and password, or that environment flag is set. The downside is now you all know you can just set your user agent to Facebook and get access to my dev sites.