Securing your Backend Service
What is a Callback?
A callback is a function that will be executed only after the current function has finished executing. You subscribe to a callback by configuring a url which will process an incoming request and respond back in a certain format.
Validating Callbacks from Twilio Frontline
Your backend service should verify that Twilio is the service that sent a callback before responding to that request. This is important for securing sensitive data, and to protect your application and servers from abuse.
Twilio will sign all inbound requests to your application with an X-Twilio-Signature HTTP header. Twilio uses the parameters sent in the webhook (either GET or POST) and the exact URL your application supplied to Twilio to create this signature. The signature uses the HMAC-SHA1 hashing algorithm with your Twilio account's auth token as the secret key.
Your Frontline Integration Service can verify that this signature is correct using the server side Twilio SDKs (see examples below). You will need your account's auth token, the value of the X-Twilio-Signature HTTP header Twilio passed to you, the URL Twilio sent the webhook to and all of the parameters sent by Twilio.
Tutorials for Validating Incoming Twilio Requests
You can follow one of our handy tutorials for your chosen language and web application framework. Use something we don't have on this list? Let us know, and we'll try and point you in the right direction.
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.
