Enforcing HTTPS for all outgoing requests made by the HubSpot platform

Community Manager

What’s happening?

HubSpot has multiple systems that can make outgoing requests to your integration, such as webhooks for getting notifications of updates in HubSpot, or CRM extensions which fetch data from your app to be displayed inside HubSpot. Currently, these requests allow for the specified request URL to use HTTP, and does not force the URL to use HTTPS. These requests can contain sensitive information, such as property values for records in HubSpot, and any URLs using HTTP would mean this data is being sent unencrypted. In order to make sure that HubSpot data is being sent securely, we’re going to start requiring that all outgoing URLs use HTTPS.

What’s changing?

Starting immediately, we’ll be requiring all new URLs to use HTTPS. Existing URLs will continue to function until December 4th, at which point we’ll be disabling any subscriptions that are still using HTTP. If your integration uses any of the systems mentioned below, we strongly recommend that you make sure that your systems support HTTPS requests, and that all of your subscription and fetch URLs are set to HTTPS before December 4th.

What systems are affected?

The following systems will be affected by this update:

Please let us know if you have any questions by replying below.

8 Replies 8
New Member

Will the requirement be enforced for test apps as well?

Regular Contributor

I also have a problem with this. We use ngrok to test our webhooks between our test portal and the local / dev environment of our application.
It won't work witth https as we can't have a certificate.
I don't see any solution to this, and I'm sad.

I would rather have a big button asking me if I really want to use http (with the explanation above), and let the user decide if they want to accept the risks. Then it's the user's problem, not hubspot's.

New Contributor

Hi @fonji

I believe ngrok supports both HTTP and HTTPS tunnels natively.

ngrok by @inconshreveable                                                                                                                                            (Ctrl+C to quit)
Session Status                online                                                                                                                                                 
Account                       me@example.com (Plan: Free)                                                                                                                      
Version                       2.2.8                                                                                                                                                  
Region                        United States (us)                                                                                                                                     
Web Interface                                                                                                                                         
Forwarding                    http://d1e4f9ed.ngrok.io -> localhost:12345                                                                                                            
Forwarding                    https://d1e4f9ed.ngrok.io -> localhost:12345                                                                                                           

Forwarding https://d1e4f9ed.ngrok.io -> localhost:12345

Could you try using the https URL generated with ngrok in the webhooks configuration? If that doesn't meet your needs, I'd love to hear what error conditions you're seeing so that we can make the experience both secure and easy to adopt.

I'm running ngrok version 2.2.8 on MacOS

Reference: the ngrok docs.

Regular Contributor

Oh I may have a bad memory.
I remember having troubles two years ago trying to make ngrok work for webhooks using https and it didn't work.

But I can confirm that it works now, sorry for the noise.

New Contributor

No problem, thanks for following up! We're working on some documentation updates to make the webhooks local testing scenario more approachable and hope to have that released soon.

Regular Contributor

I have an SSL certificate on my site, but for some reason when I use HTTPS in HubSpot application webhook subscriptions it doesn't work, whereas when I use it in regular webhook triggers in workflows it does work.

I now have quite a critical issue for a client as I went in to test the change to HTTPS for their app in my developer portal, it doesn't work and now it won't allow me to change it back to HTTP.

Could you please take a look at it urgently as my client will be expecting to use the integration tomorrow?

The app I changed to HTTPS is Inbound Addons Deals, app id 58833. You'll see the errors there.

I'd appreciate your assistance as soon as possible please.


Regular Contributor

@Derek_Gervais, can you please take a look at my question above urgently please as my client will be needing to use this within a couple of hours. Can you at least change that webhook subscription back to http until we work it out?

Thanks in advance,

Community Manager

Hi all,

In order to give teams some flexibility during the winter holiday season, the deadline to migrate existing HTTP webhook URLs is being moved to Tuesday, January 15th 2019. All other details in this post remain unchanged.