Enforcing HTTPS for all outgoing requests made by the HubSpot platform
Announced: October 18, 2018
All new webhook URLs are required to use HTTPS, and all existing URLs will be required to use HTTPS starting December 4th.
HubSpot has multiple systems that can make outgoing requests to your integration, such as webhooks for getting notifications of updates in HubSpot, or CRM extensions which fetch data from your app to be displayed inside HubSpot. Currently, these requests allow for the specified request URL to use HTTP, and does not force the URL to use HTTPS. These requests can contain sensitive information, such as property values for records in HubSpot, and any URLs using HTTP would mean this data is being sent unencrypted. In order to make sure that HubSpot data is being sent securely, we’re going to start requiring that all outgoing URLs use HTTPS.
Starting immediately, we’ll be requiring all new URLs to use HTTPS. Existing URLs will continue to function until December 4th, at which point we’ll be disabling any subscriptions that are still using HTTP. If your integration uses any of the systems mentioned below, we strongly recommend that you make sure that your systems support HTTPS requests, and that all of your subscription and fetch URLs are set to HTTPS before December 4th.
What systems are affected?
The following systems will be affected by this update:
- The webhook URL for the Webhooks API
- Webhook actions in workflows
- Webhook actions in bots
- Webhook URLs for Workflow extensions
- Fetch URIs for CRM extensions
- The import trigger URI for the Ecommerce Bridge API