Developer Announcements

zwolfson
HubSpot Employee
HubSpot Employee

Introducing version 3 of Webhook signatures

In order to help protect our partners and customers, HubSpot signs outgoing requests (such as those for webhooks or CRM cards) so that you can verify that the request did actually come from HubSpot. Following the latest security best-practices, we are adding two new headers to outgoing HubSpot requests to OAuth Apps - X-HubSpot-Signature-v3 and X-HubSpot-Request-Timestamp. Prior versions of the X-HubSpot-Signature header will continue to be included for backward compatibility. OAuth Apps can use the request signature to verify whether received requests are actually from HubSpot.

 

What’s happening

 

We are adding two new headers to outgoing requests: X-HubSpot-Signature-v3, X-HubSpot-Request-Timestamp.

 

To verify the signature, developers will need to perform the following steps:

 

  • Reject the request if the timestamp is older than 5 minutes.
  • Create a utf-8 encoded string that concatenates together the following: requestMethod + requestUri + requestBody + timestamp. The timestamp is provided by the new X-HubSpot-Request-Timestamp header.
  • Create an HMAC SHA-256 hash of the resulting string using the application secret as the secret for the HMAC SHA-256 function.
  • Base64 encode the result of the HMAC function.
  • Compare the hash value to the signature. If they're equal then this request has been verified as originating from Hubspot. We recommend using constant-time string comparison to guard against timing attacks.

 

These new headers are available now.

 

If you have any questions or comments, please join the discussion here. 

0 Upvotes
22 Antworten
PHuston
Teilnehmer/-in

Introducing version 3 of Webhook signatures

@zwolfson despite not opting into the v3 signature validation described in your post, our signature validation suddenly broke at 10:15am PT this morning. Your statement around ensuring backwards compatibility does not seem to be accurate in our experience. 

Could you please confirm whether this rollout is progressing as intended? For reference, there seem to be other users experiencing the same problem: https://community.hubspot.com/t5/APIs-Integrations/Incorrect-X-Hubspot-Signature-in-CRM-extension-s-...

If it is indeed true that this was rolled out without actual backwards compatibility, I would consider this to be a major breach of trust. 

Thank you

0 Upvotes
amit-hs
Teilnehmer/-in

Introducing version 3 of Webhook signatures

Hi @zwolfson 

 

We're just now experiencing an issue with signature verifications for v2 requests starting 10:15am Pacific time today November 4th. All signature validation simply fails, with secrets that used to work until that point.

 

It looks like HubSpot's public API libraries (like this ruby client: https://github.com/HubSpot/hubspot-api-ruby/blob/master/lib/hubspot/helpers/webhooks_helper.rb#L19) are not ready for this rollout, are they?

0 Upvotes