Secure When an HTTP request is received

(0) Share

Report

Posted on by CU01081947-0

716

Hello Power Automate Community,

I hope you can help, please.

I'm looking for advice on how best to secure a Flow which has the trigger "When an HTTP request is received". I've read through all the documents I can find and watched numerous videos, but what I'm trying to achieve is this.

I created a Flow using the "When an HTTP request is received" and it generated the URL. Here is an fake example: "https;//lotsofcharacters.blarblar.com".
I then go into a third party application, such as Salesforce, ServiceNow etc. From that third party application, when something happens, let's say a record is created, the third party system will send a webhook message with information in the body to my Flow example URL above.
It then triggers the Flow and the Flow does what it's meant to do.

Everything is perfect except the example URL to trigger my Flow can be called by anyone from anywhere, so if someone gets hold of the example URL they can trigger the Flow.

My question is, how do I make it so that the Flow can only be triggered if the call comes from the third party system such as Salesforce, ServiceNow, Jira etc?

Two things I explored was:

Trigger Conditions | Adding a trigger condition so if there is something specific in the body, header etc, then only fire. But this will wouldn't stop potential DOS attacks, I believe.
Authentication | There is the "who can trigger this flow" dropdown on the trigger, but as the call is coming from a third party then I couldn't work out how to use this.

Any thoughts would be greatly appreciated.

Thanks,

Garry

Categories:

Building flows

I have the same question (0)

All responses (2)

Answers (1)

Verified answer

VeGETzX 367 on at

Like (2)

Report
Copy link

Link copied!
I have tried something similar before.

I used an HTTP trigger to receive requests from a third-party service. During the process, I discovered that

We cannot set 'Who can trigger the flow' to specific users or restrict it to the organization. This is because enabling this option requires all incoming requests to be authenticated via Microsoft Entra ID, which is not supported by standard webhooks.

Using trigger conditions is the best approach if you have logic to correctly verify that the requests are coming from a trusted source.

With trigger conditions, even if someone sends a request to your URI, it won't trigger the flow unless it meets the specified condition. This means that if the person doesn't know your detection logic, they cannot trigger your flow and should prevent POS attach that you aware of.

Here’s an example of using a trigger condition to validate a secret key in the request header.

2 people found this reply helpful.

Was this reply helpful? Yes No
CU01081947-0 716 on at

Like (0)

Report
Copy link

Link copied!

Hello @VeGETzX,

Thanks for the response. That's a shame it can't be done and the only work around is trigger conditions.

All the best,

Garry

Was this reply helpful? Yes No