APIs & Integrations

Derek_Gervais
HubSpot Alumni
HubSpot Alumni

Enforcing HTTPS for all outgoing requests made by the HubSpot platform

What’s happening?

HubSpot has multiple systems that can make outgoing requests to your integration, such as webhooks for getting notifications of updates in HubSpot, or CRM extensions which fetch data from your app to be displayed inside HubSpot. Currently, these requests allow for the specified request URL to use HTTP, and does not force the URL to use HTTPS. These requests can contain sensitive information, such as property values for records in HubSpot, and any URLs using HTTP would mean this data is being sent unencrypted. In order to make sure that HubSpot data is being sent securely, we’re going to start requiring that all outgoing URLs use HTTPS.

What’s changing?

Starting immediately, we’ll be requiring all new URLs to use HTTPS. Existing URLs will continue to function until December 4th, at which point we’ll be disabling any subscriptions that are still using HTTP. If your integration uses any of the systems mentioned below, we strongly recommend that you make sure that your systems support HTTPS requests, and that all of your subscription and fetch URLs are set to HTTPS before December 4th.

What systems are affected?

The following systems will be affected by this update:

Please let us know if you have any questions by replying below.

8 Replies 8
Derek_Gervais
HubSpot Alumni
HubSpot Alumni

Enforcing HTTPS for all outgoing requests made by the HubSpot platform

Hi all,

In order to give teams some flexibility during the winter holiday season, the deadline to migrate existing HTTP webhook URLs is being moved to Tuesday, January 15th 2019. All other details in this post remain unchanged.

0 Upvotes
Sam_Alford
Member | Diamond Partner
Member | Diamond Partner

Enforcing HTTPS for all outgoing requests made by the HubSpot platform

I have an SSL certificate on my site, but for some reason when I use HTTPS in HubSpot application webhook subscriptions it doesn't work, whereas when I use it in regular webhook triggers in workflows it does work.

I now have quite a critical issue for a client as I went in to test the change to HTTPS for their app in my developer portal, it doesn't work and now it won't allow me to change it back to HTTP.

Could you please take a look at it urgently as my client will be expecting to use the integration tomorrow?

The app I changed to HTTPS is Inbound Addons Deals, app id 58833. You'll see the errors there.

I'd appreciate your assistance as soon as possible please.

Thanks

0 Upvotes
Sam_Alford
Member | Diamond Partner
Member | Diamond Partner

Enforcing HTTPS for all outgoing requests made by the HubSpot platform

@Derek_Gervais, can you please take a look at my question above urgently please as my client will be needing to use this within a couple of hours. Can you at least change that webhook subscription back to http until we work it out?

Thanks in advance,
Samantha

0 Upvotes
cbaldauf
HubSpot Product Team
HubSpot Product Team

Enforcing HTTPS for all outgoing requests made by the HubSpot platform

No problem, thanks for following up! We're working on some documentation updates to make the webhooks local testing scenario more approachable and hope to have that released soon.

0 Upvotes
tbcrowe
Participant

Enforcing HTTPS for all outgoing requests made by the HubSpot platform

Will the requirement be enforced for test apps as well?

fonji
Contributor

Enforcing HTTPS for all outgoing requests made by the HubSpot platform

I also have a problem with this. We use ngrok to test our webhooks between our test portal and the local / dev environment of our application.
It won't work witth https as we can't have a certificate.
I don't see any solution to this, and I'm sad.

I would rather have a big button asking me if I really want to use http (with the explanation above), and let the user decide if they want to accept the risks. Then it's the user's problem, not hubspot's.

cbaldauf
HubSpot Product Team
HubSpot Product Team

Enforcing HTTPS for all outgoing requests made by the HubSpot platform

Hi @fonji

I believe ngrok supports both HTTP and HTTPS tunnels natively.

ngrok by @inconshreveable                                                                                                                                            (Ctrl+C to quit)
                                                                                                                                                                                     
Session Status                online                                                                                                                                                 
Account                       me@example.com (Plan: Free)                                                                                                                      
Version                       2.2.8                                                                                                                                                  
Region                        United States (us)                                                                                                                                     
Web Interface                 http://127.0.0.1:4040                                                                                                                                  
Forwarding                    http://d1e4f9ed.ngrok.io -> localhost:12345                                                                                                            
Forwarding                    https://d1e4f9ed.ngrok.io -> localhost:12345                                                                                                           
                                                                                                                                                                                     

Specifically:
Forwarding https://d1e4f9ed.ngrok.io -> localhost:12345

Could you try using the https URL generated with ngrok in the webhooks configuration? If that doesn't meet your needs, I'd love to hear what error conditions you're seeing so that we can make the experience both secure and easy to adopt.

I'm running ngrok version 2.2.8 on MacOS

Reference: the ngrok docs.

fonji
Contributor

Enforcing HTTPS for all outgoing requests made by the HubSpot platform

Oh I may have a bad memory.
I remember having troubles two years ago trying to make ngrok work for webhooks using https and it didn't work.

But I can confirm that it works now, sorry for the noise.

0 Upvotes