• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Tachytelic.net

  • Sco Openserver
    • Sco Unix Support
    • SCO Openserver Installation ISOs
    • SCO Openserver Binaries
    • Add a Hard Drive to an Openserver 5 Virtual Machine
    • Install SCO Vision SQL-Retriever ODBC Driver on Windows 10
    • License Expired on Virtual SCO Openserver Installation
    • How to reset the root password on SCO Openserver 5
  • Scripting
    • PowerShell
      • Add leading zeros
      • Check if a File Exists
      • Grep with Powershell
      • Create Environment Variables
      • Test for open Ports
      • Append to a Text File
    • VBScript
      • Check if a File Exists
      • lpad and rpad functions
      • Windows Update E-Mail Notification
  • Office 365
    • Connect to Office 365 with PowerShell
    • Add or remove an email alias using Powershell
    • Change Primary email address of Active Directory user
    • How to hide an AD user from the Global Address List
    • How to hide mail contacts from the Global Address List
    • Change the primary email address for an account with PowerShell
    • Change Primary email address of an AD User
    • Grant a single user access to access to all calendars
    • Forward email to an external address using Powershell
    • Convert shared mailbox to user mailbox with Powershell
  • Get in Touch
  • About Me
    • Privacy Policy

Secure the HTTP Request Trigger in Microsoft Power Automate

September 21, 2020 by Paulie 2 Comments

Flows created with the “When a HTTP request is received” trigger can be executed by anyone that knows the URL. This post covers details how to secure the HTTP trigger by using a trigger condition.

I have created a simple two step flow that sends me an email when the flow is triggered:

Image of a simple flow in Power Automate that sends an email after the a HTTP request is received,

Using a condition within the flow to compare a value passed in the HTTP works, but will consume a flow run.

Secure the Trigger with a condition to evaluate if the flow should execute

A better method is to use the Trigger Conditions functionality to test if a flow should execute. Trigger conditions must evaluate to true or false, there is a good introduction to trigger conditions here. I will demonstrate the basic premise with an example.

First, access the trigger settings by clicking on the ellipses of the HTTP Trigger:

Image showing how to access the settings of the HTTP Request trigger in Power Automate

Set a condition for the trigger, if this condition does not evaluate to true, the flow will not run:

Image showing Trigger Condition checking the value of a HTTP header to decide if the flow should execute.

I am passing the header “runKey” to the HTTP Request and testing to see if it matches a random string. Here is the code:

@equals(triggerOutputs()['headers']['runKey'],'FSgWPsAEBDP6epQZ')

The advantages of trigger conditions are:

  • It does not execute at all if the condition is not met.
  • The flow executes faster as there is no condition within the flow.
  • Your run history is cleaner (it only shows if the condition was met).
  • The flow is less complicated.

Build the required trigger expression

Instead of writing the trigger condition manually, let Power Automate build it for you. Create a compose action in your flow that evaluates to true or false and copy the code into the trigger condition.

Image showing a compose action being used to generate code for a trigger condition to secure a HTTP request in Power Automate.

Testing the security with PowerShell

I tested execution of the HTTP trigger in Powershell with the following code:

$flowURI = "https://prod-31.westeurope.logic.azure.com:443/workflows/..."
$messageSubject = "Testing HTTP Security Trigger"
$messageBody = "Execution test from Powershell"
$params = @{"messageSubject"="$messageSubject";"messageBody"="$messageBody"}
$headers = @{'runKey' = 'FSgWPsAEBDP6epQZ'}
Invoke-WebRequest -Uri $flowURI -Method POST -Headers $headers -ContentType "application/json" -Body ($params|ConvertTo-Json)

In my run history I can see all of the data that PowerShell transferred:

{
  "headers": {
    "Expect": "100-continue",
    "Host": "prod-31.westeurope.logic.azure.com",
    "User-Agent": "Mozilla/5.0,(Windows NT; Windows NT 10.0; en-GB),WindowsPowerShell/5.1.18362.752",
    "runKey": "FSgWPsAEBDP6epQZ",
    "Content-Length": "115",
    "Content-Type": "application/json"
  },
  "body": {
    "messageSubject": "Testing HTTP Security Trigger",
    "messageBody": "Execution test from Powershell"
  }
}

I hope this helps, if you have any clever ideas to add to this method, please let me know!

Filed Under: Power Platform Tagged With: Power Automate

Reader Interactions

Comments

  1. estevao santos says

    November 30, 2020 at 7:57 pm

    Just to point out that the trigger condition should be `@equals(triggerOutputs()?[‘headers’]?[‘runKey’],’FSgWPsAEBDP6epQZ’)` with a question mark before headers and runkey. Or else the flow will respond with an error that exposes your secret key.

  2. ps says

    January 14, 2021 at 5:19 pm

    Be careful how you do that.
    If you only do a validation on the VALUE and not the presense of the key the VALUE is sent back in the Response along with the Response from the Trigger.
    In Mine I check to see the value of a header parameter api-key
    @equals(triggerOutputs()[‘headers’][‘api-key’],”)

    If I send a request with an invalid key I get a 202 Accepted with no body (Flow never ran)
    If I send a request with NO Key, PowerAutomate will tell me what the key is…..
    {
    “error”: {
    “code”: “InvalidTemplate”,
    “message”: “The template language expression evaluation failed: ‘The template language expression ‘equals(triggerOutputs()[‘headers’][‘api-key’],”)’ cannot be evaluated because property ‘api-key’ doesn’t exist, available properties are ‘Cache-Control, Connection, Accept, Accept-Encoding, Host, User-Agent, Postman-Token, Content-Length, Content-Type’. Please see https://aka.ms/logicexpressions for usage details.’.”
    }
    }

    If you are going to use this approach be sure to have a prior condition that checks to see if the header key actually exists
    Like this.

    @contains(triggerOutputs()[‘headers’],’api-key’)

Leave a Reply Cancel reply

Primary Sidebar

Power Automate Support Image
Link to my LinkedIn Profile

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 107 other subscribers.

Go to mobile version