Providing your Facebook App supports HTTPS / SSL, you may prefer to force all users to use a secure connection – especially if you plan to deal with sensitive information such as credit card numbers, personal details etc.
Luckily, JavaScript offers a easy method for detecting non-secure connections and then forcing them to use a secure connection instead. The solution works by checking what connection the user is using. On a non-secure connection (i.e. HTTP), the JavaScript code will redirect the parent frame (i.e. Facebook) to the secure version of the app, forcing the iFrame to load securely too.
The solution is:
<script type="text/javascript"> if ( window.location.protocol == 'http:' ) { window.top.location = 'https://www.facebook.com/yourapp'; } </script>