Verification
Use an up-to-date root store
It’s important that your application or library use a trustworthy and up-to-date root store when verifying the X certificate. Where possible, using the root store provided by your operating system may be the simplest approach here. Alternatively, the Mozilla (NSS) root store is well maintained in a public and transparent manner. Curl also provides a version of this store in PEM format. X currently issues the bulk of our certs from the DigiCert High Assurance EV Root CA, but this is not true for 100% of X-related certificates and may not hold true forever, so trusting only the currently-used Digicert roots may lead to issues with your app in the future.Check CRLs and the OCSP status
Many applications do not check the Certificate Revocation List for returned certificates or rely on the operating system to do so. Ensure that your application or TLS library is configured to force CRL and OCSP (Online Certificate Status Protocol) verification before accepting X’s certificate.CDNs
When showing Tweets that contain media, use themedia_url_https
attribute for the HTTPS URLs to use when showing images. In the future, all URLs served from API endpoints will provide HTTPS paths.