[Summary view] [Print] [Text view]

   1  ===========================
   2  Validate Incoming Requests
   3  ===========================
   4  
   5  Twilio requires that your TwiML-serving web server be open to the public. This is necessary so that Twilio can retrieve TwiML from urls and POST data back to your server.
   6  
   7  However, there may be people out there trying to spoof the Twilio service. Luckily, there's an easy way to validate that incoming requests are from Twilio and Twilio alone.
   8  
   9  An `indepth guide <http://www.twilio.com/docs/security>`_ to our security features can be found in our online documentation.
  10  
  11  Before you can validate requests, you'll need four pieces of information
  12  
  13  * your Twilio Auth Token
  14  * the POST data for the request
  15  * the requested URL
  16  * the X-Twilio-Signature header value
  17  
  18  Get your Auth Token from the `Twilio User Dashboard <https://www.twilio.com/user/account>`_.
  19  
  20  Obtaining the other three pieces of information depends on the framework of your choosing. I will assume that you have the POST data as an array and the url and X-Twilio-Signature as strings.
  21  
  22  The below example will print out a confirmation message if the request is actually from Twilio.com
  23  
  24  .. code-block:: php
  25  
  26      // Your auth token from twilio.com/user/account
  27      $authToken = '12345';
  28   
  29      // Download the twilio-php library from twilio.com/docs/php/install, include it 
  30      // here
  31      require_once('/path/to/twilio-php/Services/Twilio.php');
  32      $validator = new Services_Twilio_RequestValidator($authToken);
  33   
  34      // The Twilio request URL. You may be able to retrieve this from 
  35      // $_SERVER['SCRIPT_URI']
  36      $url = 'https://mycompany.com/myapp.php?foo=1&bar=2';
  37   
  38      // The post variables in the Twilio request. You may be able to use 
  39      // $postVars = $_POST
  40      $postVars = array(
  41          'CallSid' => 'CA1234567890ABCDE',
  42          'Caller' => '+14158675309',
  43          'Digits' => '1234',
  44          'From' => '+14158675309',
  45          'To' => '+18005551212'
  46      );
  47   
  48      // The X-Twilio-Signature header - in PHP this should be 
  49      // $_SERVER["HTTP_X_TWILIO_SIGNATURE"];
  50      $signature = 'RSOYDt4T1cUTdK1PDd93/VVr8B8=';
  51   
  52      if ($validator->validate($signature, $url, $postVars)) {
  53          echo "Confirmed to have come from Twilio.";
  54      } else {
  55          echo "NOT VALID. It might have been spoofed!";
  56      }
  57  
  58  Trailing Slashes
  59  ==================
  60  
  61  If your URL uses an "index" page, such as index.php or index.html to handle the request, such as: https://mycompany.com/twilio where the real page is served from https://mycompany.com/twilio/index.php, then Apache or PHP may rewrite that URL a little bit so it's got a trailing slash... https://mycompany.com/twilio/ for example.
  62  
  63  Using the code above, or similar code in another language, you could end up with an incorrect hash because, Twilio built the hash using https://mycompany.com/twilio and you may have built the hash using https://mycompany.com/twilio/.
  64  
  65  
  66