Uipath.Web.activities.HttpClient usage violates security rule ST-SEC-009

Hi All,

We are using http request activity for our customer base application which requires the use of an API key along with username and password.

Hence, we are storing api key as credential on orchestrator. Then upon fetching api key from orchestrator, we have to convert this from secure string to string to be able to pass this key into headers section of http request as it only accepts string values as shown below.

This violates our governance rule(St-SEC-009 i.e. secure string misusage) enabled at an enterprise level.

Is there a way to pass API key in a secure format which would also comply to our governance rule.

Is there any else activity that can be used to fulfill this requirement?

Please suggest.


1 Like

Hi @AndrewHall @loginerror @Paul_Boulescu,

Looping you in here to seek your inputs as this is also related to governance.

This activity usage is interfering with our governance rule ST-SEC-009.


First thought, if you have any influence over the governance policy, this rule is quite artificial and IMO I would recommend it not be enabled for reasons exactly like this since SecureString doesn’t provide much security and in many places you need the password retrieved from Orchestrator as a standard string. See 'Send SMTP Mail Message' Password - SecureString - #24 by AndrewHall

Second, if you can’t disable the rule, if you are able to upgrade to the 21.4 System activities package, turn on the “Show StudioX” filter in the activities panel and use the StudioX “Get Username/Password” activity. You can set this to retrieve the credential from Orchestrator, and the resulting output offers the Password as both a standard String and a SecureString so it can be used wherever needed without converting UiPath Community 2021.4 Stable Release


Thank you @AndrewHall for your inputs.

Hi Guys,

We have explored enough on this request and also raised this on uipath portal. After extensive search and discussions, solution found is as below:

UiPath team will have the studio package for web activities upgraded to be able to accept body/headers in a secure manner.
In the meanwhile, we can go for creation of custom rule to bypass check on this activity or drop down this to warning or create custom package version for web activities package which would accept secure string.

Hope this info helps someone.


1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.