How to Secure Flow HTTP Trigger

We can secure Logic app by controlling ips which can invoke logic app but we do not have this capability in Microsoft Flow. A Http trigger generates a unique link with SAS token in it, which is a public URL. Yes, this needs to be only shared with people who needs access to it but still it can be forwarded across and whoever gets access can trigger the flow.

Is there is any way we can secure it? I have recently implemented this in my http trigger based flow.

Each Http request has an referrer header associated with it. This is string passed by calling browser and provides some details of the caller.  Example, If I am calling http trigger link from one of my sharepoint subsite and referral value looks like below..

 Now I can refer to this header value and look for Keywords OR path. E.g. Does my header includes ‘/PNP/INDBILLQC’. If not, return a response ‘Bad Request’. Proceed only if Yes. Something like below..

First check if Headers collection contains Referer….

contains(triggerOutputs()[‘Headers’],’Referer’)

If yes, check the header value…

This way, even if anyone gets access to HTTP URL and tries to invoke from browser OR from anywhere else, response will be always ‘Bad Request’.

Still some developer can write a browser app and override referer header. In order to secure flow from this thread, we can add another check. Only allow Flow to progress If browser is either Chrome OR IE OR FireFox. One can not change headers created by these browsers.

Each Http Request also has Useragent header. We can check that here…

contains(triggerOutputs()[‘Headers’],’User-Agent’)…

You can get the strings that these browsers generate and add a check. Example, following is what Chrome generated… You can actually add Chrome/64 string as a check if you want to be specific

Mozilla/5.0,(Windows NT 10.0; Win64; x64),AppleWebKit/537.36,(KHTML, like Gecko),Chrome/64.0.3282.140,Safari/537.36,Edge/18.17763