HubSpot Webhook Signature Validation: Why v3 Is the Only Version Worth Using
HubSpot has introduced three webhook signature schemes over the years — v1, v2, and v3 — each using similar header names, which frequently causes developers to implement the wrong version. The v1 and v2 schemes use SHA-256 hashing with no timestamp, leaving them vulnerable to replay attacks, while v3 uses HMAC-SHA256 with a signed timestamp for stronger security. HubSpot currently recommends v3, which requires hashing the HTTP method, full URI, raw request body, and timestamp together, then Base64-encoding the result. Common implementation mistakes include re-serializing the request body before verification, using the wrong URI format, omitting the timestamp from the signed string, or comparing a hex digest against a Base64-encoded header. Developers should also reject any request whose timestamp is more than five minutes old to prevent replay attacks.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in