Contents

Response site security

 

If site security is enabled on your site, you will also receive a hashed responsesitesecurity value in any redirects or URL notifications sent to your system. We strongly recommend that you recalculate the responsesitesecurity hash returned, to ensure it has not been modified by a customer or third party and that the fields were sent by Secure Trading.

Follow these steps to generate the hash:

 

1
Append all values of the fields included in the redirect or URL notification in ASCII alphabetical order (including any extra fields you have specified), with the password placed at the end (ignoring the responsesitesecurity field itself).

 

The password used when generating the hash is the same password previously agreed with the Support team when configuring your site security.

 

For example, consider a redirect or URL notification with the following fields:

  • errorcode = 0
  • orderreference = Order
  • paymenttypedescription = VISA
  • requestreference = RR555
  • settlestatus = 0
  • sitereference = test_site12345
  • transactionreference = 2-44-66

 

Using the example above, we would have the following string generated, with your agreed password appended at the end of the string:

 

0OrderVISARR5550test_site123452-44-66PASSWORD

(Any blank fields are omitted from the hash)

2
Hash the fields using SHA-256.

This generates the value that should be returned in the field responsesitesecurity, in redirects or URL notifications to your system (using the field values specified in step 1):


1a8b45c137c1d1df8ce6ff923421043f879a85a181e9c0d96a8904211af8b0b0

Note: The response site security isn’t prefixed with a “g” as in the request site security.

 


 

Check the hash matches

For valid redirects or URL notifications, the response site security hash that we generate must match the value you have generated using the steps above. This indicates that Secure Trading was the source of the redirect or URL notification and that it has not been modified by the customer or a third party. If the hash you generate does not match that returned in the redirect or URL notification, this potentially indicates that a field has been modified or that there is some other problem with the redirect. Please contact our Support Team for assistance.