Friday Fact: Logic App Consumption and Standard have different behaviors regarding default HTTP headers

Azure Azure Integration Services Logic Apps
  • Sandro Pereira
  • Jan 31, 2025
  • 3 min read
Tags: AIS, Azure, Azure Integration Services, Friday Fact, Headers, HTTP, Logic App

Logic Apps never cease to surprise us with new features and subtle behavioral differences between the Consumption and Standard tiers. Did you know that Logic Apps Consumption automatically adds several internal HTTP headers when it makes an HTTP call? Some of these headers include sensitive information. For example, they can expose your Azure subscription ID and resource group name. You should avoid sending this data to external systems.

It turns out it’s also a bit different for Consumption vs. Standard tiers:

  • Consumption has more headers, and those headers contain more sensitive information.
  • But the Standard request, luckily for us, doesn’t include those headers. That is a nice improvement made by the LA team, which will make our processes/solutions safer.

📝 One-Minute Brief

Azure Logic Apps Consumption and Standard handle default HTTP headers differently, which can lead to unexpected behavior in integrations. This Friday Fact explains the key differences, why they matter, and what developers should consider when designing HTTP-based workflows.

Let’s see this in more detail. To emulate these behaviors, let’s create two Logic Apps Consumptions:

  • A simple Logic App with request-response actions, like the picture below.
Response
  • And another Logic App that calls through the HTTP connector is the first Logic App.
HTTP connector
  • Now, let’s replicate those two Logic Apps in the Standard tier by creating two stateful workflows with the same logic.

If we test the Logic App Consumption and check the raw outputs of the When an HTTP request is received trigger,

When an HTTP request

You will notice that several headers start with x‑ms‑workflow‑*. Some of them expose information that you should never share with external systems. The most critical one reveals the subscription ID (x‑ms‑workflow‑subscription‑id). Since this header exposes the subscription ID, you should also treat the following headers as sensitive:

  • x-ms-workflow-id
  • x-ms-workflow-system-id
  • x-ms-workflow-resourcegroup-name
  • x-ms-execution-location
  • x-ms-workflow-run-id
sensitive data

When you run the same test with Logic Apps Standard, you’ll notice a different behavior. By default, it does not include the subscription ID or the resource group in outgoing HTTP requests. As a result, these calls do not expose any critical or sensitive information:

Headers

Thanks, Calle Anderson, for pointing out this behavior.

To lazy to read? We’ve got you covered! Check out our video version of this content!

If you liked the content or found it helpful and want to help me write more, you can buy (or help buy) my son a Star Wars Lego set! 

Buy me a coffee
Author: Sandro Pereira

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.

Leave a Reply

Your email address will not be published. Required fields are marked *

The Ultimate Cloud
Management Platform for Azure

Supercharge your Azure Cost Saving

Learn More
Turbo360 Widget

Get integration tips every day. Follow us on:

Back to Top