I have an API endpoint where external websites can submit a POST request. What would be the best method to make sure the requests are authentic and also are not tampered with, so they respect the principle of integrity?
Since the data is not valuable such as credit card information, I do not require HTTPS integration.
I have had a look at both HMACs and Digital Signatures, and I believe the second option would be better, yet I am unsure if this is the way to go?
Similarly, would hashing the request and verifying it on my server be enough?
Both HMAC and Digital signature provides integrity and authentication:
Main difference - HMAC message can't be checked/validated by third party, only person who knows secret can validate/authenticate message. Digital signed message has public certificate and any person can check message owner by deciphering message with attached public key, computing hash, and checking public key in special trusted side.
Conclusion - use HMAC if you don't need anybody to be able to check is some message really belongs to sender.
Similarly, would hashing the request and verifying it on my server be enough?
No. Man-in-the-middle can modify your message and attach hash of modified message. Hashing provides integrity which means that message modification will also change the hash but hacker don't worry about hash equality beacuse he simply totally replace message with contents and hash! Some secret usage as in HMAC prevents such message replacements: man-in-the-middle still can change message but he couldn't recompute hash because he doesn't know secret.