Twilio Is Implementing Content Security Policy

Time to read: 2 minutes

May 17, 2021
Written by
Twilio
Twilion

Content Security Policy Header

Twilio has traditionally allowed users to load https://twilio.com web pages in an HTML iframe. To better improve the security of our services and in return secure our customers, we are implementing the frame-ancestors directive of Content Security Policy on the entirety of https://www.twilio.com.

This particular policy change doesn’t apply to our Flex product or our Flex domain (flex.twilio.com). We are adding the header for the Flex domain, but are implementing it in a different way. For an explanation of how this header is being implemented on Flex, please read this page.

Why are we doing this?

Twilio takes its customers’ security seriously and we are continuously working to up our security game. Content Security Policy provides multiple directives which can be used to improve security. We are starting with frame-ancestors, which allows us to better protect our customers from web based attacks such as clickjacking.

What’s changing with Twilio’s Content Security Policy?

When visiting twilio.com, you will start seeing a new HTTP response header called Content-Security-Policy which will block all attempts by third party sites to load twilio.com in a HTML iframe or any other web framing methodology.

What do I need to do?

If you’re a customer currently loading twilio.com web pages in a frame on your own site, you’ll need to discontinue this practice. Using iframes and other web content framing will no longer work after May 24th, 2021.

Frequently asked questions

We’re sure you have some questions around this change. Please see below for some of the questions you might have around our new HTTP header.

What is a web frame?

A web frame is a mechanism to load external website content within your own web page. The most common place where web frames are used is through an iframe, which allow you to embed the entirety of another site with an HTML tag.

What is Content Security Policy?

Content Security Policy is an HTTP header that adds a layer of security protection against well known web attacks. For more information please see here.

What can I do if I want to continue to load twilio.com in a web frame?

Unfortunately, if you’re a customer outside the twilio.com domain, you will not be able to load twilio.com in a web frame in any capacity starting after May 24th, 2021.

Will I still be able to load my Flex instance in an iframe?

If you are a paid customer of Flex, you can continue framing Flex. Please read this page for more information on how you can frame Flex.

To a more secure twilio.com

This change will take effect on May 24th, 2021. We thank you for being a partner in enhancing our security. If you have any questions, please reach out to us at support@twilio.com.

Related Posts

Related Resources

A newspaper article

Twilio Docs

From APIs to SDKs to sample apps

API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
An Open book

Resource Center

The latest ebooks, industry reports, and webinars

Learn from customer engagement experts to improve your own communication.
User group reactions

Ahoy

Twilio's developer community hub

Best practices, code samples, and inspiration to build communications and digital engagement experiences.