You probably hear a lot about security, and you may have even put a great deal of time and thought into securing your Twilio app. This post is a reminder of best practices, along with some tips and tricks that will keep you and your customers secure. Security is important to us as we build out our platform, so we know just how vital it is to include these security best practices as you build out your Twilio app. Whether you’re new to security or you have years of experience, here are some tips you may find useful.
Encrypt All The Things! (Especially Your Credentials)
While Twilio’s API is secure, the internet is not. Sending your credentials in the clear is like skywriting your username and password — anyone who looks in the right place can grab it. So don’t send any privileged information using HTTP; use HTTPS instead. This is commonly known as SSL encryption, and you’ll see it around the internet whenever you’re asked to enter a username and password — logging into your bank’s website, checking your email, etc. Twilio’s API supports SSL for all communications, and we strongly recommend that you do not send your account credentials via HTTP to port 80. Instead, use SSL and send credentials via HTTPS on port 443. To use SSL, simply use HTTPS to connect to Twilio.
Twilio also supports HTTP basic and digest authentication. This means you can password protect TwiML URLs on your web server so that only you and Twilio can access them. Be sure to use HTTP authentication in conjunction with SSL. You can find more information and helpful code in our documentation here.
Keep ‘Em Separated
Use subaccounts to tailor your customers’ data, usage and account specifically to their needs. You can keep user activity separate by assigning subaccounts for each user, or segregate data for different projects. For more information on subaccounts and how to get started check out our “How To” tutorial here.
Fight Fraud With Automation
Did you know you can enable Usage Triggers to automatically suspend an account based on specific criteria? Yep, just use the “Circuit Breaker” script to automatically suspend a subaccount in response to set triggers like unexpected high usage. Your Twilio subaccount can potentially catch fraudulent activity faster than you can. Check out our help center for details and sample code.
Use Twilio For Two-Factor Authentication
Two factor authentication adds an extra layer of security to website logins. Using two-factor authentication, a user is prompted to enter in their password as well as a random verification code generated at login time. Combining passwords and verification codes makes it much easier to safeguard your applications. Get started with TFA by taking a look at our docs here.
Learn more about Twilio Security by visiting our Security Docs here.