Response site security

  Last updated: 


You will receive a hashed responsesitesecurity value in any redirects or URL notifications sent to your system. We strongly recommend that you recalculate the responsesitesecurity hash returned, to ensure it has not been modified by a customer or third party and that the fields were sent by Trust Payments.

Follow these steps to generate the hash:


Step 1

Append all values of the fields included in the redirect or URL notification in    ASCII alphabetical order (link to external site) (including any custom fields you have specified), with the password placed at the end.


  • You must ensure that the field values appended are not URL-encoded. If so, they will require decoding (e.g. %40 would need to be changed to @).    Click here for further information (link to external site).
  • When appending the field values, ensure white space characters are not omitted from the string. For example, if authcode is returned, and this field has trailing white space characters (e.g. "12345 "), these must be retained.
  • Do not include the value of the notificationreference or responsesitesecurity fields. These are not used to generate the hash.

The password used when generating the hash is the same password previously agreed with the Support Team when configuring your site security.

For example, consider a redirect or URL notification with the following fields:

  • errorcode = 0
  • orderreference = Order
  • paymenttypedescription = VISA
  • requestreference = RR555
  • settlestatus = 0
  • sitereference = test_site12345
  • transactionreference = 2-44-66

Using the example above, we would have the following string generated, with your agreed password appended at the end of the string:


(Any blank fields are omitted from the hash)


Step 2

Hash the fields using SHA-256.

This generates the value that should be returned in the field responsesitesecurity, in redirects or URL notifications to your system (using the field values specified in step 1):


Note: The response site security isn’t prefixed with a “h” as in the request site security.


Check the hash matches

For valid redirects or URL notifications, the response site security hash that we generate must match the value you have generated using the steps above. This indicates that Trust Payments was the source of the redirect or URL notification and that it has not been modified by the customer or a third party. If the hash you generate does not match that returned in the redirect or URL notification, this potentially indicates that a field has been modified or that there is some other problem with the redirect. Please contact our Support Team for assistance.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request