Twilio - how to handle inbound sms

Question

I just made an account on twilio and I was able to configure things so that I can send sms through a django app I wrote.

However, now I am trying to understand what hapens to inbounds sms.

Edit I configured an URL on my django app to perform some actions and then I configured twilio to hit that URL when an inbound message arrives.

However, the process failed and I got this response from Twilio (see below). It seems something security related, right?

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta http-equiv="content-type" content="text/html; charset=utf-8">
            <meta name="robots" content="NONE,NOARCHIVE">
                <title>403 Forbidden</title>
                <style type="text/css">
    html * { padding:0; margin:0; }
    body * { padding:10px 20px; }
    body * * { padding:0; }
    body { font:small sans-serif; background:#eee; color:#000; }
    body>div { border-bottom:1px solid #ddd; }
    h1 { font-weight:normal; margin-bottom:.4em; }
    h1 span { font-size:60%; color:#666; font-weight:normal; }
    #info { background:#f6f6f6; }
    #info ul { margin: 0.5em 4em; }
    #info p, #summary p { padding-top:10px; }
    #summary { background: #ffc; }
    #explanation { background:#eee; border-bottom: 0px none; }
  </style>
            </head>
            <body>
                <div id="summary">
                    <h1>Forbidden 
                        <span>(403)</span>
                    </h1>
                    <p>CSRF verification failed. Request aborted.</p>
                    <p>You are seeing this message because this HTTPS site requires a “Referer header†to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
                    <p>If you have configured your browser to disable “Referer†headers, please re-enable them, at least for this site, or for HTTPS connections, or for “same-origin†requests.</p>
                    <p>If you are using the &lt;meta name=&quot;referrer&quot; content=&quot;no-referrer&quot;&gt; tag or including the “Referrer-Policy: no-referrer†header, please remove them. The CSRF protection requires the “Referer†header to do strict referer checking. If you’re concerned about privacy, use alternatives like &lt;a rel=&quot;noreferrer&quot; …&gt; for links to third-party sites.</p>
                </div>
                <div id="info">
                    <h2>Help</h2>
                    <p>Reason given for failure:</p>
                    <pre>
    Referer checking failed - no Referer.
    </pre>
                    <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when
  
                        <a
  href="https://docs.djangoproject.com/en/3.1/ref/csrf/">Django's
  CSRF mechanism</a> has not been used correctly.  For POST forms, you need to
  ensure:
                    </p>
                    <ul>
                        <li>Your browser is accepting cookies.</li>
                        <li>The view function passes a 
                            <code>request</code> to the template's 
                            <a
    href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render">
                                <code>render</code>
                            </a>
    method.
                        </li>
                        <li>In the template, there is a 
                            <code>{% csrf_token
    %}</code> template tag inside each POST form that
    targets an internal URL.
                        </li>
                        <li>If you are not using 
                            <code>CsrfViewMiddleware</code>, then you must use
    
                            <code>csrf_protect</code> on any views that use the 
                            <code>csrf_token</code>
    template tag, as well as those that accept the POST data.
                        </li>
                        <li>The form has a valid CSRF token. After logging in in another browser
    tab or hitting the back button after a login, you may need to reload the
    page with the form, because the token is rotated after a login.</li>
                    </ul>
                    <p>You're seeing the help section of this page because you have 
                        <code>DEBUG =
  True</code> in your Django settings file. Change that to 
                        <code>False</code>,
  and only the initial error message will be displayed.  
                    </p>
                    <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
                </div>
            </body>
        </html>```

Answer 1

If you want to receive inbound text messages you need to create a webhook, that allows you to run your code when an sms is received (you can respond or do something else). Otherwise the messages will be lost. Read this for details and this for a sample code in Django .

Answer 2

Solved the issue going through this tutorial on twilio. I was missing the validator so Django was not allowing the request to come in.

https://www.twilio.com/docs/usage/tutorials/how-to-secure-your-django-project-by-validating-incoming-twilio-requests