Secure the HTTP Request Trigger in Microsoft Power Automate

Flows created with the “When a HTTP request is received” trigger can be executed by anyone that knows the URL. This post covers details how to secure the HTTP trigger by using a trigger condition.

I have created a simple two step flow that sends me an email when the flow is triggered:

Using a condition within the flow to compare a value passed in the HTTP works, but will consume a flow run.

Secure the Trigger with a condition to evaluate if the flow should execute

A better method is to use the Trigger Conditions functionality to test if a flow should execute. Trigger conditions must evaluate to true or false, there is a good introduction to trigger conditions here. I will demonstrate the basic premise with an example.

First, access the trigger settings by clicking on the ellipses of the HTTP Trigger:

Set a condition for the trigger, if this condition does not evaluate to true, the flow will not run:

I am passing the header “runKey” to the HTTP Request and testing to see if it matches a random string. Here is the code:

equals(triggerOutputs()['headers']?['runKey'],'FSgWPsAEBDP6epQZ')

The advantages of trigger conditions are:

• It does not execute at all if the condition is not met.
• The flow executes faster as there is no condition within the flow.
• Your run history is cleaner (it only shows if the condition was met).
• The flow is less complicated.

Testing the security with PowerShell

I tested execution of the HTTP trigger in Powershell with the following code:

$flowURI = "https://prod-31.westeurope.logic.azure.com:443/workflows/..."
$messageSubject = "Testing HTTP Security Trigger"
$messageBody = "Execution test from Powershell"
$params = @{"messageSubject"="$messageSubject";"messageBody"="$messageBody"}
$headers = @{'runKey' = 'FSgWPsAEBDP6epQZ'}
Invoke-WebRequest -Uri $flowURI -Method POST -Headers $headers -ContentType "application/json" -Body ($params|ConvertTo-Json)

In my run history I can see all of the data that PowerShell transferred:

{
  "headers": {
    "Expect": "100-continue",
    "Host": "prod-31.westeurope.logic.azure.com",
    "User-Agent": "Mozilla/5.0,(Windows NT; Windows NT 10.0; en-GB),WindowsPowerShell/5.1.18362.752",
    "runKey": "FSgWPsAEBDP6epQZ",
    "Content-Length": "115",
    "Content-Type": "application/json"
  },
  "body": {
    "messageSubject": "Testing HTTP Security Trigger",
    "messageBody": "Execution test from Powershell"
  }
}

Important Note

Make sure your trigger condition includes a question mark for your key value, like this:

equals(triggerOutputs()['headers']?['runKey'],'FSgWPsAEBDP6epQZ')

Not like:
equals(triggerOutputs()['headers']['runKey'],'FSgWPsAEBDP6epQZ')

If you do not include the question mark then anyone that posts to the unique URL will receive the error message back from flow, which will be something like:

equals(triggerOutputs()['headers']['runKey'],'FSgWPsAEBDP6epQZ')' cannot be evaluated because property 'runKey' doesn't exist, available properties are 'Connection,Expect, Host, User-Agent, Content-Length, Content-Type'. 

Which as you can see, contains the key that secures the trigger! So be sure to include the question mark, which will simply make that property return null.

I hope this helps, if you have any clever ideas to add to this method, please let me know!