Twilio sends this signature in an HTTP header called X-Twilio-Signature.Twilio takes the resulting string (the full URL with scheme, port, query string and any POST parameters) and signs it using HMAC-SHA1 and your AuthToken as the key.If the request is a GET, the final URL includes all of Twilio's request parameters appended in the query string of your original URL using the standard delimiter & between the name/value pairs.If your request is a POST, Twilio takes all the POST fields, sorts them alphabetically by their name, and concatenates the parameter name and value to the end of the URL (with no delimiter).Twilio assembles its request to your application, including the final URL and any POST fields.Turn on TLS on your server and configure your Twilio account to use HTTPS urls.To allow you this level of security, Twilio cryptographically signs its requests. If your application exposes sensitive data, or is possibly mutative to your data, then you may want to be sure that the HTTP requests to your web application are indeed coming from Twilio, and not a malicious third party. ![]() Validating Requests are coming from Twilio ![]() Twilio products: API docs, quickstarts, and tutorials.Secure your app by validating incoming Twilio requests.Set up your local development environmentĪlternative representations and data types.
0 Comments
Leave a Reply. |