You should disable CSRF for that URL. See this question on how to do that: Disable csrf validation for some requests on Express

CSRF is a vulnerability that only pertains to requests that require session information in the form of a cookie (which is why CSRF is also sometimes called “session riding”). In short, CSRF is when a malicious site owner can use a <form> tag on a page they control to post a form to your site, causing an authenticated request to be sent to your server without the user’s knowing. For instance, let’s say Facebook has a /delete_user.php which deletes the current authenticated user. A CSRF attack on that URL will be in the form (no pun intended) of a <form action="http://facebook.com/delete_user.php"> tag on the malicious site owner’s site, which gets submitted without the user’s knowledge. A non-CSRF-safe implementation of /delete_user.php will see the user’s auth cookie and delete the user — much to the user’s dismay.

Anyway, long story short, your Twilio handler does not require a user’s browser cookie, and thus is not subject to CSRF attacks. Just disable CSRF checks for the Twilio callback URLs.