

Building Twilio Apps on Rails: Security, MMS and Delivery Receipts - crabasa
https://www.twilio.com/blog/2014/10/twilio-on-rails-part-2-rails-4-app-sending-sms-mms.html

======
patio11
Another option for securing Twilio apps is to a) use HTTPS between your server
and Twilio, which you always want to do anyway and then b) use a shared secret
to validate that the HTTP client your app is talking to is actually Twilio.

I do this, partially because it was easy to implement and partially because
independently developed message signing and verification can be... finnicky. I
have no particular reason to not trust Twilio's generated signatures, but
didn't want a sudden confusion about e.g. ordering parameters to wake me up at
3 AM when it broke the system. Or worse, _not_ wake me up at 3 AM when it
broke the system.

~~~
RobSpectre
Totally fair solution. Some folks like to roll their own, some folks like to
use ours. Important bit is the app is validating the data is sending and
receiving.

Param ordering changes in your framework can definitely hit. I've caught
similar bugs when upgrading frameworks before hitting production with some
validation unit tests. Here is an example if that is helpful:
[https://github.com/RobSpectre/Twilio-Hackpack-for-Heroku-
and...](https://github.com/RobSpectre/Twilio-Hackpack-for-Heroku-and-
Flask/blob/production/tests/test_twilio.py)

