How can you check incoming Twilio sms?
Basically I'm trying to allow users to post to their blog using a text message. I have a phone number stored for each user, and since twilio is sending this information in a post request they send to my page, I can do a reverse search to see which blog to post it to. Now the question is, how can I be sure that the user has sent the text? Can't someone just send messages with a different phone number?
I have a couple of thoughts about this: 1. Twilio sends your account number in a message that I believe is not known to attackers. 2. I could reply with an SMS containing a randomly generated code and ask the user to send it back. This will effectively triple your SMS messaging needs, I would prefer the former.
Is number one "safe enough"? Or should I bite the bullet and create a response system like in number two?
source to share
You can check if requests are coming from Twilio. We add a header X-Twilio-Signature
for every request that is signed with your Auth Token (which only you should know). Each of the Twilio helper libraries has a function to help you determine if a request has been completed by Twilio or not.
Please see our documentation for validating requests: http://www.twilio.com/docs/security#validating-requests
or our helper library functions for validating Twilio requests: http://readthedocs.org/docs/twilio-php/en/latest/usage/validation.html#validate-incoming-requests for example.
source to share