Twilio Is Implementing Content Security Policy
Time to read: 2 minutes
Twilio has traditionally allowed users to load https://twilio.com web pages in an HTML iframe. To better improve the security of our services and in return secure our customers, we are implementing the frame-ancestors
directive of Content Security Policy
on the entirety of https://www.twilio.com.
Why are we doing this?
Twilio takes its customers’ security seriously and we are continuously working to up our security game. Content Security Policy provides multiple directives which can be used to improve security. We are starting with frame-ancestors
, which allows us to better protect our customers from web based attacks such as clickjacking.
What’s changing with Twilio’s Content Security Policy?
When visiting twilio.com, you will start seeing a new HTTP response header called Content-Security-Policy
which will block all attempts by third party sites to load twilio.com in a HTML iframe or any other web framing methodology.
What do I need to do?
If you’re a customer currently loading twilio.com web pages in a frame on your own site, you’ll need to discontinue this practice. Using iframes and other web content framing will no longer work after May 24th, 2021.
Frequently asked questions
We’re sure you have some questions around this change. Please see below for some of the questions you might have around our new HTTP header.
What is a web frame?
A web frame is a mechanism to load external website content within your own web page. The most common place where web frames are used is through an iframe, which allow you to embed the entirety of another site with an HTML tag.
What is Content Security Policy?
Content Security Policy is an HTTP header that adds a layer of security protection against well known web attacks. For more information please see here.
What can I do if I want to continue to load twilio.com in a web frame?
Unfortunately, if you’re a customer outside the twilio.com domain, you will not be able to load twilio.com in a web frame in any capacity starting after May 24th, 2021.
Will I still be able to load my Flex instance in an iframe?
If you are a paid customer of Flex, you can continue framing Flex. Please read this page for more information on how you can frame Flex.
To a more secure twilio.com
This change will take effect on May 24th, 2021. We thank you for being a partner in enhancing our security. If you have any questions, please reach out to us at support@twilio.com.
Related Posts
Related Resources
Twilio Docs
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
Resource Center
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Ahoy
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.