Web Application Firewall (WAF) for Exotel APIs

overview exotel has implemented a web application firewall (waf) for the majority of its public apis as part of an ongoing platform security hardening initiative the waf inspects inbound api traffic and helps block malicious or malformed requests before they reach exotel’s core services this is part of a defense in depth approach to security and is intended to help mitigate common web attack patterns, including categories broadly covered under the https //owasp org/top10/2025/ this is a platform level enhancement and does not require any change to existing customer integrations scope the waf currently protects the majority of exotel’s public internet facing apis served through api exotel com api in exotel com for the list of supported apis and endpoint details, refer to the exotel api documentation this protection layer complements existing application level controls such as authentication, authorization, and request validation coverage may expand over time as part of exotel’s broader platform hardening efforts what this means for customers for most customers, no action is required existing integrations will continue to work as usual, provided requests follow exotel’s documented api specifications and standard http practices if a request is blocked by the waf, the api returns an http 403 forbidden response threats this helps mitigate the waf is intended to help protect against common exploit patterns such as sql injection attempts cross site scripting (xss) patterns remote code execution signatures file inclusion exploit attempts known exploit payloads some protections may operate in monitoring mode during phased rollout or tuning, while the rest are enforced in blocking mode best practices to reduce the likelihood of legitimate requests being flagged follow exotel’s documented request formats send well formed headers, parameters, and payloads validate and sanitize inputs before sending requests use standard retry logic for transient failures reporting availability if needed for infosec, audit, or compliance requirements, exotel can provide a report covering the last 7 days troubleshooting if you believe a legitimate request was blocked, please share the following with exotel support tenant id / account identifier api endpoint approximate timestamp source ip, if available http method response code request id / correlation id, if available sample request details with sensitive values masked faq do i need to change my integration? no existing integrations should continue to work without modification if they follow documented api behavior does this apply to all exotel apis? no the waf currently protects the majority of exotel’s public apis , not all apis which api domains are currently covered? the current waf coverage applies to apis served through api exotel com api in exotel com please refer to the api documentation for endpoint level details does this help with owasp top 10 risks? yes the waf is intended to add protection against several common web attack categories broadly covered under the owasp top 10 it works alongside application level controls and does not replace them what happens when a request is blocked? the api returns an http 403 forbidden response change summary change type platform security enhancement customer action required none backward compatibility yes, for standards compliant api usage