My setup is a Django app running in gunicorn on Kubernetes. TLS termination occurs at the Kubernetes ingress controller (which is just a managed nginx), which forwards the request to my Django pod over http. Everything works fine if I disable forgery protection, but when it's enabled the validation fails. My Twilio auth token is fine -- requests from my app back to Twilio go through -- and request.META['HTTP_X_TWILIO_SIGNATURE'] looks good too. But the uri that twilio_view passes to the request validator contains http for the scheme instead of https. I suspect that this is happening because Django's HttpRequest.build_absolute_uri doesn't respect the X-Forwarded-Proto header.

I'm not quit sure how to tackle this. A wrapper in twilio_view around build_absolute_uri that checks X-Forwarded-Proto and overwrites the scheme if it's there would probably work. Failing that I'm not sure what the solution would be.

Thoughts?

Okay, found it. I need to set SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') in my settings.