• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Tachytelic.net

  • Get in Touch
  • About Me

Secure the HTTP Request Trigger in Microsoft Power Automate

September 21, 2020 by Paulie 4 Comments

Flows created with the “When a HTTP request is received” trigger can be executed by anyone that knows the URL. This post covers details how to secure the HTTP trigger by using a trigger condition.

I have created a simple two step flow that sends me an email when the flow is triggered:

Image of a simple flow in Power Automate that sends an email after the a HTTP request is received,

Using a condition within the flow to compare a value passed in the HTTP works, but will consume a flow run.

Secure the Trigger with a condition to evaluate if the flow should execute

A better method is to use the Trigger Conditions functionality to test if a flow should execute. Trigger conditions must evaluate to true or false, there is a good introduction to trigger conditions here. I will demonstrate the basic premise with an example.

First, access the trigger settings by clicking on the ellipses of the HTTP Trigger:

Image showing how to access the settings of the HTTP Request trigger in Power Automate

Set a condition for the trigger, if this condition does not evaluate to true, the flow will not run:

I am passing the header “runKey” to the HTTP Request and testing to see if it matches a random string. Here is the code:

equals(triggerOutputs()['headers']?['runKey'],'FSgWPsAEBDP6epQZ')

The advantages of trigger conditions are:

  • It does not execute at all if the condition is not met.
  • The flow executes faster as there is no condition within the flow.
  • Your run history is cleaner (it only shows if the condition was met).
  • The flow is less complicated.

Testing the security with PowerShell

I tested execution of the HTTP trigger in Powershell with the following code:

$flowURI = "https://prod-31.westeurope.logic.azure.com:443/workflows/..."
$messageSubject = "Testing HTTP Security Trigger"
$messageBody = "Execution test from Powershell"
$params = @{"messageSubject"="$messageSubject";"messageBody"="$messageBody"}
$headers = @{'runKey' = 'FSgWPsAEBDP6epQZ'}
Invoke-WebRequest -Uri $flowURI -Method POST -Headers $headers -ContentType "application/json" -Body ($params|ConvertTo-Json)

In my run history I can see all of the data that PowerShell transferred:

{
  "headers": {
    "Expect": "100-continue",
    "Host": "prod-31.westeurope.logic.azure.com",
    "User-Agent": "Mozilla/5.0,(Windows NT; Windows NT 10.0; en-GB),WindowsPowerShell/5.1.18362.752",
    "runKey": "FSgWPsAEBDP6epQZ",
    "Content-Length": "115",
    "Content-Type": "application/json"
  },
  "body": {
    "messageSubject": "Testing HTTP Security Trigger",
    "messageBody": "Execution test from Powershell"
  }
}

Important Note

Make sure your trigger condition includes a question mark for your key value, like this:

equals(triggerOutputs()['headers']?['runKey'],'FSgWPsAEBDP6epQZ')

Not like:
equals(triggerOutputs()['headers']['runKey'],'FSgWPsAEBDP6epQZ')

If you do not include the question mark then anyone that posts to the unique URL will receive the error message back from flow, which will be something like:

equals(triggerOutputs()['headers']['runKey'],'FSgWPsAEBDP6epQZ')' cannot be evaluated because property 'runKey' doesn't exist, available properties are 'Connection,Expect, Host, User-Agent, Content-Length, Content-Type'. 

Which as you can see, contains the key that secures the trigger! So be sure to include the question mark, which will simply make that property return null.

I hope this helps, if you have any clever ideas to add to this method, please let me know!

Filed Under: Power Platform Tagged With: Power Automate

Reader Interactions

Comments

  1. Alan Evans says

    March 25, 2022 at 11:40 am

    Thanks for this, been following your guides
    Do you know how to trigger this with Curl, I’m having some issues with the runkey part in CURL
    Presumably it’s two headers, but it doesn’t seem to be triggering

  2. Christoper Mcvey says

    March 25, 2022 at 5:50 pm

    How would you call a flow as a child with such security? Is there way way to query for the header value when you call the child?

  3. Manish Jain says

    April 28, 2022 at 1:49 pm

    I have repeated all the steps as mentioned but I am getting the same error as you mentioned for the headers, do I need to add some more settings/ parameters in it ?

  4. Mark S says

    May 7, 2022 at 9:29 pm

    Thank you for this guidance. When the trigger condition fails I assumed that some type of error code would be returned to the calling application. But it appears that a 202 code is returned. If you are calling the HTTP flow from another flow, that makes it very hard for the calling flow to recognize that an error occurred.

    I could build my own version of this where I include the key in the body of the POST call, retrieve it in the HTTP flow and check the value passed against the expected value and return an error code in a Response step. It takes more effort but it allows me to return the error code.

    Is there any way to use trigger conditions AND return an error code?

Leave a Reply Cancel reply

Primary Sidebar

Link to my LinkedIn Profile
Buy me a coffee
Image link to all Power Automate content

Excellent Power Automate Blogs

  • Damien Bird
  • Dennis (Expiscornovus)
  • Tom Riha

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 259 other subscribers.

Go to mobile version