Recommendations for validation of authentic POST call for OneSignal push callback?
almost 2 years ago by Ka Wai Cheung
For associating users to devices, I understand the workflow for storing the OneSignal Player ID by defining a callback to our server-side POST call.
However, is there a recommended way to validate the request is authentic (e.g. from GoNative and not some other malicious actor)? Something like a JWT, or even something like a specific set of IP addresses we would anticipate the request coming from?
From a security POV, I want to ensure no one can try to maliciously inject a bogus or other OneSignal ID to obtain info thru push notifications.