How to secure an Iframe extension?



What is the best way to secure an Iframe extension coming off a primary action button:

Issue 1: There doesn't seem to send X-HubSpot-Signature on Iframe GETs. There appears to be no sha256 hash checking on these requests (couldn't see one when logging header outputs). Guessing I will need to create some kind of request token on my end?

Issue 2: What's the best way to identify users? Simply add a token to the Iframe URL?

When it hit's my iFrame endpoint it only seems to send pretty basic data be default:




Hi @ralphioooo,

Thanks for your patience here; I'll try to address your issues separately to avoid and confusion:

  1. The extension iframe is a pure iframe, and you should treat it in the same way that you'd treat a request coming from a web browser with regard to authentication. If a user needs to be logged in to view the contents of the iframe, they should go through your app's login flow when viewing via the iframe
  2. While I can't say for sure what would be best for your specific app, adding a token to the webhook URL is a secure way to identify your users and would likely be a good course of action.


Thanks Derek!

For anyone else this seems to work quite well:

  • Every time the CRM Extension is loaded we generate a token and store it in our DB with our internal user id and then append the token only to the iFrame URL
  • When an iFrame call is made we check the token and the portal ID. If it matches the user ID stored against it we log them in/set the session.
  • All tokens expire after 30 min and tells the Hubspot user to refresh their browser