Uipath.We.activities.HttpClient usage violates security rule ST-SEC-009

Hi All,

We are using http request activity for our customer base application which requires the use of an API key along with username and password.

Hence, we are storing api key as credential on orchestrator. Then upon fetching api key from orchestrator, we have to convert this from secure string to string to be able to pass this key into headers section of http request as it only accepts string values as shown below.

This violates our governance rule(St-SEC-009 i.e. secure string misusage) enabled at an enterprise level.

Is there a way to pass API key in a secure format which would also comply to our governance rule.

Is there any else activity that can be used to fulfill this requirement?

Please suggest.


1 Like

Hi @AndrewHall @loginerror @Paul_Boulescu,

Looping you in here to seek your inputs as this is also related to governance.

This activity usage is interfering with our governance rule ST-SEC-009.


First thought, if you have any influence over the governance policy, this rule is quite artificial and IMO I would recommend it not be enabled for reasons exactly like this since SecureString doesn’t provide much security and in many places you need the password retrieved from Orchestrator as a standard string. See 'Send SMTP Mail Message' Password - SecureString - #24 by AndrewHall

Second, if you can’t disable the rule, if you are able to upgrade to the 21.4 System activities package, turn on the “Show StudioX” filter in the activities panel and use the StudioX “Get Username/Password” activity. You can set this to retrieve the credential from Orchestrator, and the resulting output offers the Password as both a standard String and a SecureString so it can be used wherever needed without converting UiPath Community 2021.4 Stable Release


Thank you @AndrewHall for your inputs.