Webhooks Security
Ensuring secure communication between your application and Twilio is essential. There are several layers of security and validation that you can build into your web application for handling Twilio webhooks - let's review each of these.
HTTPS/TLS
The first step you should take to secure your web application is to ensure that you are using HTTPS for your web application's end point. Twilio will not connect to an HTTPS URL with a self-signed certificate, so use a certificate from a provider such as Let's Encrypt.
Twilio can use the HTTP protocol for callbacks - for instance, if you are working on a development environment that does not have SSL certificates installed. On your Twilio project's Settings page in the Console, the SSL Certificate Validation setting enforces validation on webhooks.
Be aware Twilio strongly recommends against pinning certificates. This is an outdated practice as certificates can be rotated at any time.
Here is the list of supported TLS ciphers for callbacks.
Validating Signatures from Twilio
Your web application should verify that Twilio is the service that sent a webhook before responding to that request. This is important for securing sensitive data, and to protect your application and servers from abuse.
Twilio will sign all inbound requests to your application with an X-Twilio-Signature HTTP header. Twilio uses the parameters sent in the webhook (either GET or POST) and the exact URL your application supplied to Twilio to create this signature. The signature uses the HMAC-SHA1 hashing algorithm with your Twilio account's auth token as the secret key.
Your application can verify that this signature is correct using the server side Twilio SDKs (see examples below). You will need your account's auth token, the value of the X-Twilio-Signature HTTP header Twilio passed to you, the URL Twilio sent the webhook to and all of the parameters sent by Twilio.
The parameters included in webhook events vary by channel and event type and are subject to change in the future. Twilio will occasionally add new parameters without advance notice. When integrating with webhooks, it is important that your implementation is able to accept and correctly run signature validation on an evolving set of parameters. We strongly recommend using the provided signature validation library from a Twilio SDK and not implementing your own signature validation.
When validating the signature on a websocket request, note that the header parameter name will be all lower case: x-twilio-signature.
For more, including code samples and a description of how Twilio signs requests to your web application see this page on how to validate Twilio requests. The exact algorithm that Twilio uses to calculate the signature header (including whether or not the port number is used) is described in detail.
Tutorials for Validating Incoming Twilio Requests
Once you've decided to add Twilio request validation to your application, you can follow one of our handy tutorials for your chosen language and web application framework. Use something we don't have on this list? Let us know, and we'll try and point you in the right direction.
- Node.js / Express
- C# / ASP.NET Core
- C# / ASP.NET
- C# / ASP.NET WEB API
- Java / Servlets
- Python / Django
- Python / Flask
- Python / Amazon Web Services Lambda
- PHP / Lumen
- Ruby / Sinatra
- Go/Gin
Webhooks and IP Addresses
Twilio uses a cloud architecture to provide services, and as such, does not have a fixed range of IP addresses that issue webhooks.
When designing your network architecture, you may wish to have one set of servers and a load balancer in a DMZ that receive webhook requests from Twilio, and then proxy those requests to your private network.
For more about Twilio and IP Addresses, please see this support Article: All About Twilio IP Addresses
HTTP Authentication
Twilio supports HTTP Basic and Digest Authentication. This allows you to password protect the TwiML URLs on your web server so that only you and Twilio can access them. You may provide a username and password via the following URL format.
https://username:password@www.myserver.com/my_secure_document
For more about how Twilio uses HTTP Authentication for webhook requests, please visit the Security documentation.
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.
