Twilio Webhooks,验证真正的 twilio 请求
Twilio Webhooks, validating the genuine twilio Request
我正在为我们的解决方案评估 Twilio Webhooks。它很有魅力。
我想检测并验证它是真正的 TWILIO 调用,而不是 BOT/FAKE,它正在调用我们的端点(IPN 侦听器,我们为 Twilio WebHook 侦听器指定的 URL)。
我不喜欢检查 UserAgent 值包含 "TwilioProxy" 的想法。您有更好的方法推荐吗?
这里是 Twilio 开发人员布道者。
你绝对可以validate that a webhook is a genuine Twilio request.
对于每个 webhook 请求,Twilio 都会发送一个 X-Twilio-Signature header,其中包含一个签名。使用以下方法创建签名:
- Twilio assembles its request to your application, including the final URL and any POST fields (if the request is a POST).
- If your request is a POST, Twilio takes all the POST fields, sorts them by alphabetically by their name, and concatenates the parameter name and value to the end of the URL (with no delimiter).
- Twilio takes the resulting string (the full URL with query string and all POST parameters) and signs it using HMAC-SHA1 and your AuthToken as the key.
要验证签名,您需要:
- Take the full URL of the request URL you specify for your phone number or app, from the protocol (https...) through the end of the
query string (everything after the ?).
- If the request is a POST, sort all of the POST parameters alphabetically (using Unix-style case-sensitive sorting order).
- Iterate through the sorted list of POST parameters, and append the variable name and value (with no delimiters) to the end of the URL
string.
- Sign the resulting string with HMAC-SHA1 using your AuthToken as the key (remember, your AuthToken's case matters!).
- Base64 encode the resulting hash value.
- Compare your hash to ours, submitted in the X-Twilio-Signature header. If they match, then you're good to go.
我们的 Security page. If you are using one of our official helper libraries 上已通过示例描述了所有内容,然后将有一个方法来验证这一点已经内置。
我正在为我们的解决方案评估 Twilio Webhooks。它很有魅力。 我想检测并验证它是真正的 TWILIO 调用,而不是 BOT/FAKE,它正在调用我们的端点(IPN 侦听器,我们为 Twilio WebHook 侦听器指定的 URL)。
我不喜欢检查 UserAgent 值包含 "TwilioProxy" 的想法。您有更好的方法推荐吗?
这里是 Twilio 开发人员布道者。
你绝对可以validate that a webhook is a genuine Twilio request.
对于每个 webhook 请求,Twilio 都会发送一个 X-Twilio-Signature header,其中包含一个签名。使用以下方法创建签名:
- Twilio assembles its request to your application, including the final URL and any POST fields (if the request is a POST).
- If your request is a POST, Twilio takes all the POST fields, sorts them by alphabetically by their name, and concatenates the parameter name and value to the end of the URL (with no delimiter).
- Twilio takes the resulting string (the full URL with query string and all POST parameters) and signs it using HMAC-SHA1 and your AuthToken as the key.
要验证签名,您需要:
- Take the full URL of the request URL you specify for your phone number or app, from the protocol (https...) through the end of the query string (everything after the ?).
- If the request is a POST, sort all of the POST parameters alphabetically (using Unix-style case-sensitive sorting order).
- Iterate through the sorted list of POST parameters, and append the variable name and value (with no delimiters) to the end of the URL string.
- Sign the resulting string with HMAC-SHA1 using your AuthToken as the key (remember, your AuthToken's case matters!).
- Base64 encode the resulting hash value.
- Compare your hash to ours, submitted in the X-Twilio-Signature header. If they match, then you're good to go.
我们的 Security page. If you are using one of our official helper libraries 上已通过示例描述了所有内容,然后将有一个方法来验证这一点已经内置。