How to Enable Facebook White Hat Researcher Setting

How to Enable Facebook White Hat Researcher Setting


Facebook has implemented a white hat security testing setting that allows its users to test security over various Facebook services.


Facebook will knowingly break its Certificate Pinning mechanism for its users that use white hat settings. Pinning is used to improve the security of a website that uses SSL. Pinning allows websites to allow or disallow a user by searching for a specific cryptographic identity. SSL Certificate Pinning techniques are often used to defend against sniffing attacks.


Whitehat Settings can be enabled by going to Facebook’s main app however Facebook Messenger instant messaging client and the Instagram app are only supported for Android.


Facebook White hat settings have a built-in proxy that can be used for API interactions. Facebook White Hat settings have included a feature that can disable TLS 1.3 support.


To enable Facebook White Hat researcher settings to follow the URL below.


white hat settings
Image shows Facebook White Hat Researcher settings.


Once white hat researcher settings are enabled, a Whitehat Settings button will show up in each of the applications selected.

From the white hat researcher settings, we can enable user-installed CAs for your Facebook account and Facebook white hat test account.


Facebook Android App White Hat Settings can be found under Settings & Privacy.


Facebook Messenger App White Hat Settings can be found by clicking on your display picture and scrolling down to Internal.


facebook messenger


It’s easy and best practice to turn White Hat Researcher settings off when we are not testing any Facebook applications.


Further instructions can be found at Facebook Help Page.