Security

It is important to make sure that the service script is called by Fortumo and not anyone else:

  • Check whether the IP address of the server making the request belongs to one of Fortumo's servers. Please contact us at support@fortumo.com for the IP address list for white listing. We will let you know by e-mail when they change. In PHP you can check this with $\_SERVER["REMOTE_ADDR"] variable.
  • Choose a concealed name for your directory or script. For example https://yourdomain.com/fortumo.php is not as good as https://yourdomain.com/go850g3oigjrtog/payment-processor.php.
  • Check that the attached signature matches. All the requests are signed with the shared secret only known to you and Fortumo.
  • Check if the payment is a real payment and no test parameter is present.

Signature

The signature is added as sig parameter and is calculated as md5 checksum of the request parameters and secret concatenated together. You can find your service secret from the service settings page on Fortumo.com Dashboard. To check whether the sig parameter in the request matches the one that you calculated you can make the same calculation. 

Before calculating the signature make sure to sort the parameters alphabetically.

For example:

1
2
3
4
5
6
7
8
9
10
11
12
PARAMETERS
credit_name = gold
tc_amount = 3333
tc_id = 291
test = ok
secret = bad54c617b3a51230ac7cc3da398855e

CALCULATION STRING
credit_name=goldtc_amount=3333tc_id=291test=okbad54c617b3a51230ac7cc3da398855e

MD5 RESULT AS SIGNATURE
sig = 047f555536f8826825c9079265ad36de
Help us improve our Merchants Portal. Was this article helpful?