Request header "X-Hubspot-Signature"


#1

I posted this in a thread earler, but thought I might have a better chance if I create a new topic rather than posting in a month-old thread.

We have built an integration where we sometimes send Hubspot contacts over to a sales system by enrolling them in workflows and thereby sending them via webhooks, and I wanted to build some security around on the webhook side by comparing a hash to the header “X-Hubspot-Signature” that is mentioned in the API docs.

The problem is that I don’t seem to get that header key at all. Below is a code snippet of my webhook, and this is the string I get in my database:

Connection, Content-Length, Content-Type, Accept-Encoding, Host, User-Agent, X-HubSpot-Client-IP, X-HubSpot-Correlation-Id, X-HubSpot-Caller, X-HubSpot-Timeout-Millis

Can someone provide some insight here?

Thanks, and kind regards,

/Noah

public class HS_qualified_lead_test_security_webhook : IHttpHandler
{

    public void ProcessRequest(HttpContext context)
    {
	    var ok = true;
	    using (var rdr = new StreamReader(context.Request.InputStream))
	    {
		    var headers = string.Join(", ", context.Request.Headers.AllKeys);
                        // save headers to db
	    }

	    context.Response.StatusCode = (int)HttpStatusCode.NoContent ;
    }

    public bool IsReusable => false;

}

#2

Ping? Can anyone help here? How can I verify that an event comes from HS if I do not receive the X-Hubspot-Signature header?


#3

@noahts I’d be happy to try and lend a hand if I can. Do you mind sharing what page you are looking at for the HubSpot signature, I’m not totally familiar with what you are referring to but would love to dive into it.


#4

Peter,

Thanks for getting back to me on this. I am located in Denmark where the Easter holidays have already started. I hope it’s OK if I get back to you on Tuesday with more details?

To begin with, though, I am referring to this manual page: http://developers.hubspot.com/docs/methods/webhooks/webhooks-overview

I am attempting to write a webhook to receive data from hubspot, and I’d like to start by verifying the request by using the mentioned request header, my API key, and a SHA256 hash on the payload. The problem is, Hubspot does not send the request header, apparently.


#5

@noahts Enjoy your break!

These APIs are for creating webhooks on an app in a Dev portal and not for something that would launch in a workflow.
Let’s touch base after the holidays as it might be we just need to look at your process from a different point of view.


#6

Hi again Peter,

Thanks for pointing that out - I was not aware there was this difference in web hooks when a webhook is launched from a workflow. Is there anything I can do then in order to validate the requests I get from Hubspot in my endpoints? It sounds like you have some ideas?

Thanks again for your help.

Kind regards,

/Noah


#7

@noahts In order to set up the validation you will need to create a developers account and make an app. From there you can launch the web hook on a either a contact creation/deletion or property change. You could have a workflow that updates a property on the contact to notify the app to launch the web hook. Once you have built the app and the workflow out you just need to install the app into your HubSpot portal.

https://app.hubspot.com/signup/developers/detect-auth


#8

Thanks - unfortunately, I am not involved in the setup on the Hubspot side - I am merely providing endpoints that our Marketing department then use when they set up their workflows. I don’t think it is realistic to completely change the way they have set up the many workflows that are already set up. I was hoping I could do this security solely on the API side.

But it sounds like you are saying that if a webhook is called from a HS workflow, there is no way of verifying that the request is genuine - can you confirm that?

Thanks!

/Noah


#9

@noahts Yes that is correct.


#10

OK. Thanks again for your help.

Regards,

/Noah