Enforcing HTTPS for all outgoing requests made by the HubSpot platform


#1

What’s happening?

HubSpot has multiple systems that can make outgoing requests to your integration, such as webhooks for getting notifications of updates in HubSpot, or CRM extensions which fetch data from your app to be displayed inside HubSpot. Currently, these requests allow for the specified request URL to use HTTP, and does not force the URL to use HTTPS. These requests can contain sensitive information, such as property values for records in HubSpot, and any URLs using HTTP would mean this data is being sent unencrypted. In order to make sure that HubSpot data is being sent securely, we’re going to start requiring that all outgoing URLs use HTTPS.

What’s changing?

Starting immediately, we’ll be requiring all new URLs to use HTTPS. Existing URLs will continue to function until December 4th, at which point we’ll be disabling any subscriptions that are still using HTTP. If your integration uses any of the systems mentioned below, we strongly recommend that you make sure that your systems support HTTPS requests, and that all of your subscription and fetch URLs are set to HTTPS before December 4th.

What systems are affected?

The following systems will be affected by this update:

Please let us know if you have any questions by replying below.


#2

Will the requirement be enforced for test apps as well?


#4

I also have a problem with this. We use ngrok to test our webhooks between our test portal and the local / dev environment of our application.
It won't work witth https as we can't have a certificate.
I don't see any solution to this, and I'm sad.

I would rather have a big button asking me if I really want to use http (with the explanation above), and let the user decide if they want to accept the risks. Then it's the user's problem, not hubspot's.


#5

Hi @fonji

I believe ngrok supports both HTTP and HTTPS tunnels natively.

ngrok by @inconshreveable                                                                                                                                            (Ctrl+C to quit)
                                                                                                                                                                                     
Session Status                online                                                                                                                                                 
Account                       me@example.com (Plan: Free)                                                                                                                      
Version                       2.2.8                                                                                                                                                  
Region                        United States (us)                                                                                                                                     
Web Interface                 http://127.0.0.1:4040                                                                                                                                  
Forwarding                    http://d1e4f9ed.ngrok.io -> localhost:12345                                                                                                            
Forwarding                    https://d1e4f9ed.ngrok.io -> localhost:12345                                                                                                           
                                                                                                                                                                                     

Specifically:
Forwarding https://d1e4f9ed.ngrok.io -> localhost:12345

Could you try using the https URL generated with ngrok in the webhooks configuration? If that doesn't meet your needs, I'd love to hear what error conditions you're seeing so that we can make the experience both secure and easy to adopt.

I'm running ngrok version 2.2.8 on MacOS

Reference: the ngrok docs.


#6

Oh I may have a bad memory.
I remember having troubles two years ago trying to make ngrok work for webhooks using https and it didn't work.

But I can confirm that it works now, sorry for the noise.


#7

No problem, thanks for following up! We're working on some documentation updates to make the webhooks local testing scenario more approachable and hope to have that released soon.