Hello Power Automate Community,
I hope you can help, please.
I'm looking for advice on how best to secure a Flow which has the trigger "When an HTTP request is received". I've read through all the documents I can find and watched numerous videos, but what I'm trying to achieve is this.
- I created a Flow using the "When an HTTP request is received" and it generated the URL. Here is an fake example: "https;//lotsofcharacters.blarblar.com".
- I then go into a third party application, such as Salesforce, ServiceNow etc. From that third party application, when something happens, let's say a record is created, the third party system will send a webhook message with information in the body to my Flow example URL above.
- It then triggers the Flow and the Flow does what it's meant to do.
Everything is perfect except the example URL to trigger my Flow can be called by anyone from anywhere, so if someone gets hold of the example URL they can trigger the Flow.
My question is, how do I make it so that the Flow can only be triggered if the call comes from the third party system such as Salesforce, ServiceNow, Jira etc?
Two things I explored was:
- Trigger Conditions | Adding a trigger condition so if there is something specific in the body, header etc, then only fire. But this will wouldn't stop potential DOS attacks, I believe.
- Authentication | There is the "who can trigger this flow" dropdown on the trigger, but as the call is coming from a third party then I couldn't work out how to use this.
Any thoughts would be greatly appreciated.
Thanks,
Garry
