TextMarks wants to hear from you
You'll find many helpful knowledge base articles here. If you need assistance, please:
- email us at email@example.com
- call us at (800) 696-1393
HTTP Callback Security Considerations
TextMarks provides mobile-originated request/response functionality to enable your users to interact with your web and application servers by sending text message (SMS) to our shared shortcode, which we proxy as HTTP requests to your servers and send dynamic text message responses back to users on your behalf. The other pages in this section provide more information on this facet of our API. These HTTP requests are made to "callback URLs" that you specify in your keyword (TextMark) configuration. This page discusses security considerations of these requests.
SSL (HTTPS) Support
By specifying a callback URL with the "https" protocol (as opposed to "http"), you are instructing TextMarks servers to connect with SSL and use the level of encryption specified by your own certificate and server. This encrypts all data transferred over the network to prevent eavesdropping and is highly recommended for sensitive data. We do not verify the authenticity of your certificate, so you may use a self-signed certificate if you wish.
Shared Secret / Signed Requests
By configuring a shared secret pass phrase in your keyword and
utilizing the "\s" HMAC parameter in your callback URL, you have an
additional layer of security in that you may verify that a) the
request did indeed come from TextMarks and b) is not an old request
For more information, see: http://www.textmarks.com/api/sms-auto-response/#signed_requests
Firewall / IP Address Filtering
TextMarks callback requests will come from the net block 184.108.40.206/28. You may configure your firewall to only allow HTTP requests to your callback URL and servers from this block to prevent access from other machines on the internet. While in the future this address block may change, we will notify all registered API developers (i.e. those with one or more API Keys in their account) of changes ahead of time. This type of firewall protection should only be performed for the most security critical applications due to the fact that it requires additional work up front and is an additional point of failure (e.g. if your firewall configuration changes or breaks).