Hope you are having a great day!
I have setup the 'forwarding' of SMS to my site (lets say www.example.com) through External Command > HTTP Request, using FSMS 22.214.171.124
For this I have used a script (lets say my_script.php) which is currently available in my www/public_html folder.
So, the HTTP request (in FSMS) is currently using the following URL:
Now, what I am noticing is that occasionally blank data is being entered in to my database, which probably means that someone is simply hitting the above URL in a browser.
So, my question is, how can I make my setup more secure so, that issue just mentioned does not happen?
Also, is there any way to add security when the URL is called by FSMS, which may become necessary if the SMS being 'forwarded' contains sensitive information?
As usual, any feedback is greatly appreciated.
Thanks in advance!
Very kind of you Sila ... thank you!
I would recommend that you add a security verification to the URL which receives and processes the requests send by frontlinesms. I would also recommend that you use HTTPS to enhance your security configuration instead of HTTP.
Thanks for your Geoffrey.
I have a few followup queries:
1. By "security verification to the URL which receives and processes the requests", I assume you mean using the various PHP options such as checking the data type, validating that the data does not have any malicious code etc. in the PHP script (my_script.php in this example) - will you please confirm that this is what you mean?
2. Can I keep my_script.php outside the web root? If so, what should be the URL that I insert into External Command form in FSMS?
3. The command type for External Command in FSMS 126.96.36.199 is 'HTTP Request' - so, where can I use HTTPS?
I will be very grateful if you can provide some clarifications.
Hope you are fine.
Does anyone have a reply to my queries in the last post?
I realize that some of my questions are quite silly/novice but rest assured your reply will go a long way in enhancing my knowledge.
Eagerly waiting for your reply.
I have spoken to Geoffrey and hope I can clarify some of this.
1. Yes, we'd recommend you sanitise your inputs when submitted. At the most basic level, you could reject empty values to prevent your database from filling up with blank requests. However, the main thing we'd suggest is adding a 'secret' parameter to your PHP script, and only processing the request if the value of this matches the value you set. On the FrontlineSMS side, this parameter would just be an extra entry at the end of your url: "..&secret=my_secret"
2. I believe to do this you would have to do a PHP include to reference my_script.php in a public_script.php, with your url then being the link to public_script.php. This may be useful if you decide to implement the secret word mentioned above.
3. You should be able to set the URL to https:// and it would just work, if your webservice is configured to work with https.
I hope this helps, let me know if you have any further queries.
Guys! A big thank you to all of you!
This is exactly the information I needed!