Please excuse our look. We're just getting started here.

Want to learn more about Twilio Forums? Check out our FAQ page here.

How to prevent abuse of Functions/Runtime?

Pudlo
Pudlo
edited August 2021 in Twilio Community

Hello!

What's the appropriate way to prevent runtime endpoints from abuse when being called by an untrusted source (i.e., an iOS or Android app)? The tutorial (https://www.twilio.com/docs/runtime/tutorials/how-to-call-twilio-functions-ios ) has you expose your function as unprotected - but wouldn't this allow a malicious actor to call that endpoint many thousands of times to run up your bills and/or spam numbers? There's nothing obvious in the docs about rate limiting clients.

Tagged:
· Share on TwitterShare on Facebook

Answers

  • shelbyz
    shelbyz ✭✭✭

    You may want to look at making those functions protected which means that the caller is responsible for building a X-Twilio-Signature header to be provided before the function is executed.

    It does not mean however that some actor could not sniff network traffic and see a valid request and replay it repeatedly, but it should cut down on an actor finding an endpoint and making discovery/overloading requests.

    · Share on TwitterShare on Facebook
  • Pudlo
    Pudlo
    edited August 2021

    @shelbyz If I'm to sign a X-Twilio-Signature wouldn't that mean building in the AuthToken to the distributed app unless every possible query (including all possible parameters) is known in advance? That seems inadvisable.

    · Share on TwitterShare on Facebook

Categories

If this is an emergency, please contact Twilio Support. This is not an official Support channel. https://support.twilio.com/
Have an urgent question?
Please contact Twilio Support. This is not an official Support channel.
Contact Support