# Securing your Backend Service ## What is a Callback? A **callback** is a function that will be executed only after the current function has finished executing. You subscribe to a callback by configuring a URL which will process an incoming request and respond back in a certain format. ## Validating Callbacks from Twilio Frontline Your backend service should verify that Twilio is the service that sent a callback before responding to that request. This is important for securing sensitive data, and to protect your application and servers from abuse. Twilio will sign all inbound requests to your application with an `X-Twilio-Signature` HTTP header. Twilio uses the parameters sent in the webhook (either `GET` or `POST`) and the exact URL your application supplied to Twilio to create this signature. The signature uses the HMAC-SHA1 hashing algorithm with your Twilio account's auth token as the secret key. Your Frontline Integration Service can verify that this signature is correct using the Twilio server-side SDKs (see examples below). You will need your account's auth token, the value of the `X-Twilio-Signature` HTTP header Twilio passed to you, the URL Twilio sent the webhook to and all of the parameters sent by Twilio. Validate Signature of Request ```js // Get twilio-node from twilio.com/docs/libraries/node const client = require('twilio'); // Your Auth Token from twilio.com/console const authToken = process.env.TWILIO_AUTH_TOKEN; // Store Twilio's request URL (the url of your webhook) as a variable const url = 'https://mycompany.com/myapp'; // Store the application/x-www-form-urlencoded parameters from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. const params = { CallSid: 'CA1234567890ABCDE', Caller: '+12349013030', Digits: '1234', From: '+12349013030', To: '+18005551212', }; // Store the X-Twilio-Signature header attached to the request as a variable const twilioSignature = 'Np1nax6uFoY6qpfT5l9jWwJeit0='; // Check if the incoming signature is valid for your application URL and the incoming parameters console.log(client.validateRequest(authToken, twilioSignature, url, params)); ``` ```py import os # Download the twilio-python library from twilio.com/docs/python/install from twilio.request_validator import RequestValidator # Your Auth Token from twilio.com/user/account auth_token = os.environ['TWILIO_AUTH_TOKEN'] # Initialize the request validator validator = RequestValidator(auth_token) # Store Twilio's request URL (the url of your webhook) as a variable url = 'https://example.com/myapp' # Store the application/x-www-form-urlencoded parameters from Twilio's request as a variable # In practice, this MUST include all received parameters, not a # hardcoded list of parameters that you receive today. New parameters # may be added without notice. params = { 'CallSid': 'CA1234567890ABCDE', 'Caller': '+12349013030', 'Digits': '1234', 'From': '+12349013030', 'To': '+18005551212' } # Store the X-Twilio-Signature header attached to the request as a variable twilio_signature = 'Np1nax6uFoY6qpfT5l9jWwJeit0=' # Check if the incoming signature is valid for your application URL and the incoming parameters print(validator.validate(url, params, twilio_signature)) ``` ```cs // Download the twilio-csharp library from // https://www.twilio.com/docs/libraries/csharp#installation using System; using System.Collections.Generic; using Twilio.Security; class Example { static void Main(string[] args) { // Your Auth Token from twilio.com/console const string authToken = Environment.GetEnvironmentVariable("TWILIO_AUTH_TOKEN"); // Initialize the request validator var validator = new RequestValidator(authToken); // Store Twilio's request URL (the url of your webhook) as a variable const string url = "https://example.com/myapp"; // Store the application/x-www-form-urlencoded params from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. var parameters = new Dictionary { {"CallSid", "CA1234567890ABCDE"}, {"Caller", "+12349013030"}, {"Digits", "1234"}, {"From", "+12349013030"}, {"To", "+18005551212"} }; // Store the X-Twilio-Signature header attached to the request as a variable const string twilioSignature = "Np1nax6uFoY6qpfT5l9jWwJeit0="; // Check if the incoming signature is valid for your application URL and the incoming parameters Console.WriteLine(validator.Validate(url, parameters, twilioSignature)); } } ``` ```java // Install the Java helper library from twilio.com/docs/java/install import java.util.HashMap; import java.util.Map; import com.twilio.security.RequestValidator; public class Example { // Your Auth Token from twilio.com/user/account public static final String AUTH_TOKEN = System.getenv("TWILIO_AUTH_TOKEN"); public static void main(String[] args) throws java.net.URISyntaxException { // Initialize the request validator RequestValidator validator = new RequestValidator(AUTH_TOKEN); // Store Twilio's request URL (the url of your webhook) as a variable String url = "https://example.com/myapp"; // Store the application/x-www-form-urlencoded parameters from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. Map params = new HashMap<>(); params.put("CallSid", "CA1234567890ABCDE"); params.put("Caller", "+12349013030"); params.put("Digits", "1234"); params.put("From", "+12349013030"); params.put("To", "+18005551212"); // Store the X-Twilio-Signature header attached to the request as a variable String twilioSignature = "Np1nax6uFoY6qpfT5l9jWwJeit0="; // Check if the incoming signature is valid for your application URL and the incoming parameters System.out.println(validator.validate(url, params, twilioSignature)); } } ``` ```go package main import ( "fmt" "os" "github.com/twilio/twilio-go/client" ) func main() { // Your Auth Token from twilio.com/console authToken := os.Getenv("TWILIO_AUTH_TOKEN") // Initialize the request validator requestValidator := client.NewRequestValidator(authToken) // Store Twilio's request URL (the url of your webhook) as a variable url := "https://example.com/myapp" // Store the application/x-www-form-urlencoded params from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. params := map[string]string{ "CallSid": "CA1234567890ABCDE", "Caller": "+12349013030", "Digits": "1234", "From": "+12349013030", "To": "+18005551212", } // Store the X-Twilio-Signature header attached to the request as a variable signature := "Np1nax6uFoY6qpfT5l9jWwJeit0=" // Check if the incoming signature is valid for your application URL and the incoming parameters fmt.Println(requestValidator.Validate(url, params, signature)) } ``` ```php 'CA1234567890ABCDE', 'Caller' => '+12349013030', 'Digits' => '1234', 'From' => '+12349013030', 'To' => '+18005551212' ); // Check if the incoming signature is valid for your application URL and the incoming parameters if ($validator->validate($signature, $url, $postVars)) { echo "Confirmed to have come from Twilio."; } else { echo "NOT VALID. It might have been spoofed!"; } ``` ```rb # Get twilio-ruby from twilio.com/docs/ruby/install require 'rubygems' # This line not needed for ruby > 1.8 require 'twilio-ruby' # Get your Auth Token from https://www.twilio.com/console auth_token = ENV['TWILIO_AUTH_TOKEN'] # Initialize the request validator validator = Twilio::Security::RequestValidator.new(auth_token) # Store Twilio's request URL (the url of your webhook) as a variable url = 'https://example.com/myapp' # Store the application/x-www-form-urlencoded params from Twilio's request as a variable # In practice, this MUST include all received parameters, not a # hardcoded list of parameters that you receive today. New parameters # may be added without notice. params = { 'CallSid' => 'CA1234567890ABCDE', 'Caller' => '+12349013030', 'Digits' => '1234', 'From' => '+12349013030', 'To' => '+18005551212' } # Store the X-Twilio-Signature header attached to the request as a variable twilio_signature = 'Np1nax6uFoY6qpfT5l9jWwJeit0=' # Check if the incoming signature is valid for your application URL and the incoming parameters puts validator.validate(url, params, twilio_signature) ``` ## Tutorials for Validating Incoming Twilio Requests You can follow one of our handy tutorials for your chosen language and web application framework. Use something we don't have on this list? Let us know, and we'll try and point you in the right direction. * [Node.js / Express](/docs/usage/tutorials/how-to-secure-your-express-app-by-validating-incoming-twilio-requests) * [C# / ASP.NET Core](/docs/usage/tutorials/how-to-secure-your-csharp-aspnet-core-app-by-validating-incoming-twilio-requests) * [C# / ASP.NET](/docs/usage/tutorials/how-to-secure-your-csharp-aspnet-app-by-validating-incoming-twilio-requests) * [C# / ASP.NET WEB API](/docs/usage/tutorials/how-to-secure-your-csharp-aspnet-web-api-app-by-validating-incoming-twilio-requests) * [Java / Servlets](/docs/usage/tutorials/how-to-secure-your-servlet-app-by-validating-incoming-twilio-requests) * [Python / Django](/docs/usage/tutorials/how-to-secure-your-django-project-by-validating-incoming-twilio-requests) * [Python / Flask](/docs/usage/tutorials/how-to-secure-your-flask-app-by-validating-incoming-twilio-requests) * [Python / Amazon Web Services Lambda](https://www.twilio.com/blog/secure-your-sinatra-app-validating-incoming-twilio-requests) * [PHP / Lumen](/docs/usage/tutorials/how-to-secure-your-lumen-app-by-validating-incoming-twilio-requests) * [Ruby / Sinatra](https://www.twilio.com/en-us/blog/secure-your-sinatra-app-validating-incoming-twilio-requests)