Msg91 Help Doc
Precautions to Avoid Spamming ...

Precautions to Avoid Spamming on SMS Services

  1. IP security : If API security is enabled and you try to send the SMS via any other IP then those requests will be rejected with error code 418. Help article : https://msg91.com/help/api/what-do-you-mean-by-api-security

  1. County block :To prevent untargeted and undesired SMS traffic to countries with higher pricing, you can take measures that also aid in addressing bot attacks and spamming. Help Article: https://msg91.com/help/best-practices/how-to-block-countries-above-a-set-sms-price

  1. Keep it secret : Never hard-code keys or credentials directly into your source code, public repositories, logs, or client-side code (like JavaScript running in browsers). Keys must remain confidential to avoid unauthorized access.

  1. Use environment variables : Store keys securely in environment variables or secret management services (e.g., AWS Secrets Manager, HashiCorp Vault, Azure Key Vault). This prevents them from being exposed in codebases, config files, or version control.

  1. Rotate keys regularly : Implement a process to periodically change (rotate) keys. This reduces the risk of long-term misuse if a key is compromised. Automated rotation policies are recommended where possible.

  1. Apply least privilege : Always generate scoped keys with only the minimal level of access required for their purpose. Avoid using overly privileged keys for simple tasks. This limits the potential impact of misuse.

  1. Monitor and Audit : Enable detailed logging of all key activity. Regularly review access logs to detect abnormal usage patterns, such as unexpected locations, spikes in requests, or unauthorized services attempting access. Set up alerts for suspicious activity.

  1. Encrypt in transit and at rest : Always transmit keys over secure channels (TLS/HTTPS). Store them in encrypted formats on disk, databases, or secret managers. This ensures they remain protected even if storage systems are compromised.

  1. Avoid insecure sharing : Do not share keys via email, chat apps, or plain-text documents. Use secure channels such as password managers, encrypted vaults, or secure API gateways for controlled distribution.

  1. Revoke unused or compromised keys immediately : If a key is no longer in use, disable or delete it right away to minimize risk. In case of compromise, revoke the key immediately and issue a replacement.