APIs & Integrations

noahts
Member

Request header "X-Hubspot-Signature"

I posted this in a thread earler, but thought I might have a better chance if I create a new topic rather than posting in a month-old thread.

We have built an integration where we sometimes send Hubspot contacts over to a sales system by enrolling them in workflows and thereby sending them via webhooks, and I wanted to build some security around on the webhook side by comparing a hash to the header “X-Hubspot-Signature” that is mentioned in the API docs.

The problem is that I don’t seem to get that header key at all. Below is a code snippet of my webhook, and this is the string I get in my database:

Connection, Content-Length, Content-Type, Accept-Encoding, Host, User-Agent, X-HubSpot-Client-IP, X-HubSpot-Correlation-Id, X-HubSpot-Caller, X-HubSpot-Timeout-Millis

Can someone provide some insight here?

Thanks, and kind regards,

/Noah

public class HS_qualified_lead_test_security_webhook : IHttpHandler
{

    public void ProcessRequest(HttpContext context)
    {
	    var ok = true;
	    using (var rdr = new StreamReader(context.Request.InputStream))
	    {
		    var headers = string.Join(", ", context.Request.Headers.AllKeys);
                        // save headers to db
	    }

	    context.Response.StatusCode = (int)HttpStatusCode.NoContent ;
    }

    public bool IsReusable => false;

}
0 Upvotes
10 Replies 10
noahts
Member

Request header "X-Hubspot-Signature"

Ping? Can anyone help here? How can I verify that an event comes from HS if I do not receive the X-Hubspot-Signature header?

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Request header "X-Hubspot-Signature"

@noahts I’d be happy to try and lend a hand if I can. Do you mind sharing what page you are looking at for the HubSpot signature, I’m not totally familiar with what you are referring to but would love to dive into it.

0 Upvotes
noahts
Member

Request header "X-Hubspot-Signature"

Peter,

Thanks for getting back to me on this. I am located in Denmark where the Easter holidays have already started. I hope it’s OK if I get back to you on Tuesday with more details?

To begin with, though, I am referring to this manual page: http://developers.hubspot.com/docs/methods/webhooks/webhooks-overview

I am attempting to write a webhook to receive data from hubspot, and I’d like to start by verifying the request by using the mentioned request header, my API key, and a SHA256 hash on the payload. The problem is, Hubspot does not send the request header, apparently.

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Request header "X-Hubspot-Signature"

@noahts Enjoy your break!

These APIs are for creating webhooks on an app in a Dev portal and not for something that would launch in a workflow.
Let’s touch base after the holidays as it might be we just need to look at your process from a different point of view.

0 Upvotes
noahts
Member

Request header "X-Hubspot-Signature"

Hi again Peter,

Thanks for pointing that out - I was not aware there was this difference in web hooks when a webhook is launched from a workflow. Is there anything I can do then in order to validate the requests I get from Hubspot in my endpoints? It sounds like you have some ideas?

Thanks again for your help.

Kind regards,

/Noah

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Request header "X-Hubspot-Signature"

@noahts In order to set up the validation you will need to create a developers account and make an app. From there you can launch the web hook on a either a contact creation/deletion or property change. You could have a workflow that updates a property on the contact to notify the app to launch the web hook. Once you have built the app and the workflow out you just need to install the app into your HubSpot portal.

https://app.hubspot.com/signup/developers/detect-auth

0 Upvotes
noahts
Member

Request header "X-Hubspot-Signature"

Thanks - unfortunately, I am not involved in the setup on the Hubspot side - I am merely providing endpoints that our Marketing department then use when they set up their workflows. I don’t think it is realistic to completely change the way they have set up the many workflows that are already set up. I was hoping I could do this security solely on the API side.

But it sounds like you are saying that if a webhook is called from a HS workflow, there is no way of verifying that the request is genuine - can you confirm that?

Thanks!

/Noah

0 Upvotes
Edufficient-TL
Participant

Request header "X-Hubspot-Signature"


@noahts wrote:

But it sounds like you are saying that if a webhook is called from a HS workflow, there is no way of verifying that the request is genuine - can you confirm that?

 


@noahts, although @3PETE confirmed that was the case in 2017, these days, Webhooks for Workflows do allow request verification, as this knowledgebase article shows.

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Request header "X-Hubspot-Signature"

@noahts Yes that is correct.

0 Upvotes
noahts
Member

Request header "X-Hubspot-Signature"

OK. Thanks again for your help.

Regards,

/Noah

0 Upvotes