X-Hubspot-Signature on GET requests


#1

How should we validate X-Hubspot-Signature on GET requests from HubSpot?

We have it working on POST but not clear how to validate on GET…


#2

Hi @cre

The X-HubSpot-Signature header should be present for both POST and GET requests that come from HubSpot, so validating the header should work pretty much the same for both methods. Are you seeing any specific issues or differences with the GET requests?


#3

The problem is how to generate the hash when there is no body. Per the docs (https://developers.hubspot.com/docs/methods/webhooks/webhooks-overview#user-content-security), we should concatenate the app secret with the request body, but in the GET there is no body…

To verify this signature, concatenate the app secret of your application and the un-parsed request body of the request you’re handling, and get a SHA-256 hash of the result. Compare the resulting hash with the value of the X-HubSpot-Signature. If these values match, then this verifies that this request came from HubSpot. (Or someone else who knows your application secret. It’s important to keep this value secret.) If these values do not match, than this request may have been tampered with in-transit or someone may be spoofing webhook notifications to your endpoint.


#4

Any luck on how to do this with a GET request?


#5

Webhooks would only make POST requests, so there should always be a body to the request.

If you’re looking at requests for CRM Extensions, the request signature would have a different format detailed here:
https://developers.hubspot.com/docs/methods/crm-extensions/crm-extensions-overview#request-signatures