TextMarks wants to hear from you

You'll find many helpful knowledge base articles here. If you need assistance, please:

We're here to help! If you're looking for your TextMarks dashboard or more information on TextMarks, please visit our main site at www.TextMarks.com.



HTTP Callback Security Considerations

TextMarks provides mobile-originated request/response functionality to enable your users to interact with your web and application servers by sending text message (SMS) to our shared shortcode, which we proxy as HTTP requests to your servers and send dynamic text message responses back to users on your behalf. The other pages in this section provide more information on this facet of our API. These HTTP requests are made to "callback URLs" that you specify in your keyword (TextMark) configuration. This page discusses security considerations of these requests.

SSL (HTTPS) Support

By specifying a callback URL with the "https" protocol (as opposed to "http"), you are instructing TextMarks servers to connect with SSL and use the level of encryption specified by your own certificate and server. This encrypts all data transferred over the network to prevent eavesdropping and is highly recommended for sensitive data. We do not verify the authenticity of your certificate, so you may use a self-signed certificate if you wish.

Shared Secret / Signed Requests

By configuring a shared secret pass phrase in your keyword and utilizing the "\s" HMAC parameter in your callback URL, you have an additional layer of security in that you may verify that a) the request did indeed come from TextMarks and b) is not an old request being replayed.
For more information, see: http://www.textmarks.com/api/sms-auto-response/#signed_requests

Firewall / IP Address Filtering

TextMarks callback requests will come from the net block 184.106.28.208/28. You may configure your firewall to only allow HTTP requests to your callback URL and servers from this block to prevent access from other machines on the internet. While in the future this address block may change, we will notify all registered API developers (i.e. those with one or more API Keys in their account) of changes ahead of time. This type of firewall protection should only be performed for the most security critical applications due to the fact that it requires additional work up front and is an additional point of failure (e.g. if your firewall configuration changes or breaks).