diff --git a/src/applications/auth/provider/PhabricatorAuthProviderOAuthFacebook.php b/src/applications/auth/provider/PhabricatorAuthProviderOAuthFacebook.php
index d30215df66..607e5aff9d 100644
--- a/src/applications/auth/provider/PhabricatorAuthProviderOAuthFacebook.php
+++ b/src/applications/auth/provider/PhabricatorAuthProviderOAuthFacebook.php
@@ -3,12 +3,16 @@
 final class PhabricatorAuthProviderOAuthFacebook
   extends PhabricatorAuthProviderOAuth {
 
+  const KEY_REQUIRE_SECURE = 'oauth:facebook:require-secure';
+
   public function getProviderName() {
     return pht('Facebook');
   }
 
   protected function newOAuthAdapter() {
-    return new PhutilAuthAdapterOAuthFacebook();
+    $secure_only = PhabricatorEnv::getEnvConfig('facebook.require-https-auth');
+    return id(new PhutilAuthAdapterOAuthFacebook())
+      ->setRequireSecureBrowsing($secure_only);
   }
 
   protected function getLoginIcon() {
@@ -48,4 +52,76 @@ final class PhabricatorAuthProviderOAuthFacebook
     return !PhabricatorEnv::getEnvConfig('facebook.auth-permanent');
   }
 
+  public function readFormValuesFromProvider() {
+    $require_secure = PhabricatorEnv::getEnvConfig(
+      'facebook.require-https-auth');
+
+    // TODO: When we read from config, default this on for new providers.
+
+    return parent::readFormValuesFromProvider() + array(
+      self::KEY_REQUIRE_SECURE => $require_secure,
+    );
+  }
+
+  public function readFormValuesFromRequest(AphrontRequest $request) {
+    return parent::readFormValuesFromRequest($request) + array(
+      self::KEY_REQUIRE_SECURE => $request->getBool(self::KEY_REQUIRE_SECURE),
+    );
+  }
+
+  public function extendEditForm(
+    AphrontRequest $request,
+    AphrontFormView $form,
+    array $values,
+    array $issues) {
+
+    parent::extendEditForm($request, $form, $values, $issues);
+
+    $key_require = self::KEY_REQUIRE_SECURE;
+    $v_require = idx($values, $key_require);
+
+    $form
+      ->appendChild(
+        id(new AphrontFormCheckboxControl())
+          ->addCheckbox(
+            $key_require,
+            $v_require,
+            pht(
+              "%s ".
+              "Require users to enable 'secure browsing' on Facebook in order ".
+              "to use Facebook to authenticate with Phabricator. This ".
+              "improves security by preventing an attacker from capturing ".
+              "an insecure Facebook session and escalating it into a ".
+              "Phabricator session. Enabling it is recommended.",
+              hsprintf(
+                '<strong>%s</strong>',
+                pht('Require Secure Browsing:')))));
+  }
+
+  public function renderConfigPropertyTransactionTitle(
+    PhabricatorAuthProviderConfigTransaction $xaction) {
+
+    $author_phid = $xaction->getAuthorPHID();
+    $old = $xaction->getOldValue();
+    $new = $xaction->getNewValue();
+    $key = $xaction->getMetadataValue(
+      PhabricatorAuthProviderConfigTransaction::PROPERTY_KEY);
+
+    switch ($key) {
+      case self::KEY_REQUIRE_SECURE:
+        if ($new) {
+          return pht(
+            '%s turned "Require Secure Browsing" on.',
+            $xaction->renderHandleLink($author_phid));
+        } else {
+          return pht(
+            '%s turned "Require Secure Browsing" off.',
+            $xaction->renderHandleLink($author_phid));
+        }
+    }
+
+    return parent::renderConfigPropertyTransactionTitle($xaction);
+  }
+
+
 }