Secure your Sinatra App by Validating Incoming Twilio Requests
A starting point
If you need help with the setup of a development environment for ruby check the setup documentation.
We will start building from a basic code example implementing a Sinatra application.
Running the example code like:
$ ruby index.rb
This application returns TwiML to any request to "/" without any validation whatsoever:
$ curl -XPOST http://localhost:4567
<?xml version="1.0" encoding="UTF-8"?> <Response><Message>Hello World</Message></Response>
# You can find your Twilio Auth Token here: https://www.twilio.com/console
# Set at runtime as follows:
# $ TWILIO_AUTH_TOKEN="XXXXXXXXXXXXXXXXXXX" ruby index.rb
#
# This will not work unless you export the TWILIO_AUTH_TOKEN environment
# variable.
require 'sinatra'
require 'twilio-ruby'
post '/' do
content_type 'text/xml'
response = Twilio::TwiML::MessagingResponse.new
response.message('Hello World')
response
end
Adding request validation
To add request validation to your Sinatra App, you'll need an Authentication Token.
We will need an Authentication Token for the Twilio API from the Twilio Console, and this token will be set by exporting a new environment variable:
$ export TWILIO_AUTH_TOKEN=" TWILIO_AUTH_TOKEN_HERE "
To enable request validation through the Rack middleware, we have to add the following line:
use Rack::TwilioWebhookAuthentication, ENV['TWILIO_AUTH_TOKEN'], '/'
# You can find your Twilio Auth Token here: https://www.twilio.com/console
# Set at runtime as follows:
# $ TWILIO_AUTH_TOKEN="XXXXXXXXXXXXXXXXXXX" ruby index.rb
#
# This will not work unless you export the TWILIO_AUTH_TOKEN environment
# variable.
require 'sinatra'
require 'twilio-ruby'
require 'rack'
# To set up environmental variables, see http://twil.io/secure
use Rack::TwilioWebhookAuthentication, ENV['TWILIO_AUTH_TOKEN'], '/'
post '/' do
content_type 'text/xml'
response = Twilio::TwiML::MessagingResponse.new
response.message(body: 'Store Location: 123 Easy St.')
response
end
Overview and testing
At this point the example has grown and has enabled secure authentication of Twilio requests using your Authentication Token.
We can test that request validation is working by repeating the previous curl
step:
$ curl -XPOST http://localhost:4567
Twilio Request Validation Failed.
Confirm that incoming requests to your Sinatra application are genuine with this custom validation logic. It will return <?xml version="1.0" encoding="UTF-8"?> <Response><Message>Hello World</Message></Response>
if the request is valid, or Twilio Request Validation Failed.
if it is not. Our logic then either continues processing the request or returns error 403 HTTP response for invalid requests attempt.
Validation during testing
If you write tests for your Sinatra application, those tests may fail for routes where you use Twilio request validation. To fix this problem we recommend to use a mocking library in your tests. Take a look at the official Rack documentation for mocking requests and mocking responses.
What’s next?
Validating requests to your Twilio webhooks is a great first step for securing your Twilio application. We recommend reading over our full security documentation for more advice on protecting your app, and the Anti-Fraud Developer’s Guide in particular.
To learn more about securing your Sinatra application in general, check out the security considerations page in the official Sinatra documentation, or you can also take a look at the official Rack documentation and the Twilio Ruby SDK.
Related Posts
Related Resources
Twilio Docs
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
Resource Center
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Ahoy
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.