How can you check incoming Twilio sms?

Basically I'm trying to allow users to post to their blog using a text message. I have a phone number stored for each user, and since twilio is sending this information in a post request they send to my page, I can do a reverse search to see which blog to post it to. Now the question is, how can I be sure that the user has sent the text? Can't someone just send messages with a different phone number?

I have a couple of thoughts about this: 1. Twilio sends your account number in a message that I believe is not known to attackers. 2. I could reply with an SMS containing a randomly generated code and ask the user to send it back. This will effectively triple your SMS messaging needs, I would prefer the former.

Is number one "safe enough"? Or should I bite the bullet and create a response system like in number two?


source to share

1 answer

You can check if requests are coming from Twilio. We add a header X-Twilio-Signature

for every request that is signed with your Auth Token (which only you should know). Each of the Twilio helper libraries has a function to help you determine if a request has been completed by Twilio or not.

Please see our documentation for validating requests:

or our helper library functions for validating Twilio requests: for example.



All Articles