As described on Twitter's API OAuth doc, the user's Twitter credentials should not be needed. In other words, when you first connect your user to their Twitter account you should launch a Twitter page that grants your application access to their Twitter information. If the user is not already signed onto Twitter, through the Twitter page, they will enter their Twitter credentials. This keeps the Twitter credentials safe from you. In turn, you should have a token for your application that you keep very secure (encrypted on your site or in your application) and a token for each Twitter user that has agreed to allow your application to have access. When accessing Twitter, you use the application token to confirm who you are and the user token to confirm who the user is. As long as you store both of these in a secure location nobody should be able to spoof access.
Most people will do this by storing an application token with (or in) an application config file and the Twitter user tokens in a database. Here are additional security steps for this setup:
- Store the config file and database separately. For example, store the config file on a web server and store the database on a database server. This makes access to these two key pieces of data harder to obtain. Unfortunately it does mean you need to servers (or VMs . . . or containers).
- Rotate the application token on a regular basis (just as you might rotate a password or PIN.
- Only ask Twitter for your token to be able to access the bare minimum of what you need. This way if there is a security breach they have limited access to your user's Twitter accounts.
- Secure the servers that store the token and database as best you can.