Tachytelic.net

Secure the HTTP Request Trigger in Microsoft Power Automate

by Leave a Comment

Flows created with the “When a HTTP request is received” trigger can be executed by anyone that knows the URL. This post covers details how to secure the HTTP trigger by using a trigger condition.

I have created a simple two step flow that sends me an email when the flow is triggered:

Image of a simple flow in Power Automate that sends an email after the a HTTP request is received,

Using a condition within the flow to compare a value passed in the HTTP works, but will consume a flow run.

Secure the Trigger with a condition to evaluate if the flow should execute

A better method is to use the Trigger Conditions functionality to test if a flow should execute. Trigger conditions must evaluate to true or false, there is a good introduction to trigger conditions here. I will demonstrate the basic premise with an example.

First, access the trigger settings by clicking on the ellipses of the HTTP Trigger:

Image showing how to access the settings of the HTTP Request trigger in Power Automate

Set a condition for the trigger, if this condition does not evaluate to true, the flow will not run:

Image showing Trigger Condition checking the value of a HTTP header to decide if the flow should execute.

I am passing the header “runKey” to the HTTP Request and testing to see if it matches a random string. Here is the code:

@equals(triggerOutputs()['headers']['runKey'],'FSgWPsAEBDP6epQZ')

The advantages of trigger conditions are:

  • It does not execute at all if the condition is not met.
  • The flow executes faster as there is no condition within the flow.
  • Your run history is cleaner (it only shows if the condition was met).
  • The flow is less complicated.

Build the required trigger expression

Instead of writing the trigger condition manually, let Power Automate build it for you. Create a compose action in your flow that evaluates to true or false and copy the code into the trigger condition.

Image showing a compose action being used to generate code for a trigger condition to secure a HTTP request in Power Automate.

Testing the security with PowerShell

I tested execution of the HTTP trigger in Powershell with the following code:

$flowURI = "https://prod-31.westeurope.logic.azure.com:443/workflows/..."
$messageSubject = "Testing HTTP Security Trigger"
$messageBody = "Execution test from Powershell"
$params = @{"messageSubject"="$messageSubject";"messageBody"="$messageBody"}
$headers = @{'runKey' = 'FSgWPsAEBDP6epQZ'}
Invoke-WebRequest -Uri $flowURI -Method POST -Headers $headers -ContentType "application/json" -Body ($params|ConvertTo-Json)

In my run history I can see all of the data that PowerShell transferred:

{
  "headers": {
    "Expect": "100-continue",
    "Host": "prod-31.westeurope.logic.azure.com",
    "User-Agent": "Mozilla/5.0,(Windows NT; Windows NT 10.0; en-GB),WindowsPowerShell/5.1.18362.752",
    "runKey": "FSgWPsAEBDP6epQZ",
    "Content-Length": "115",
    "Content-Type": "application/json"
  },
  "body": {
    "messageSubject": "Testing HTTP Security Trigger",
    "messageBody": "Execution test from Powershell"
  }
}

I hope this helps, if you have any clever ideas to add to this method, please let me know!

Reader Interactions

Leave a Reply