At Postman, we’re committed to empowering the API-driven economy. Since our first release as a Google Chrome extension, we’ve studied the needs of our users and evolved the product to enable easier collaboration across stakeholders of the API lifecycle.
A key aspect of the API lifecycle management that we continue to focus on is API design. The design phase of the API lifecycle usually results in the creation of an API schema. By storing your API schemas in Postman, you can leverage a bunch of features of the API platform—such as the API Builder, API monitors, and API documentation. You can use Postman to quickly validate your API schema and identify if it conforms to the selected API description format.
Security warnings in API validation
We’ve now added the ability for you to view security warnings in the Define tab of an API alongside the validation errors flagged by Postman. You can access this by navigating to any API and choosing the Warnings tab as shown below:
Navigating to security warnings in the Define tab in Postman
Note: Security warnings are not to be confused with errors, meaning that security warnings will point out potential loopholes in your API schema that can compromise your API’s security posture. You can still use an API schema with no errors to communicate across stakeholders, as it still conforms to the selected API description format.
Security warnings will enable you to identify potential security misses early on in your API development lifecycle. You’ll now be able to tackle these security blind spots at the API design phase instead of identifying these blind spots after your API has been deployed in production. This will help you to institute a security-first approach during API development.
This feature has been enabled in Postman for APIs defined in the OpenAPI 3.0 format. After discovering security warnings for your API in the Define tab, you can also use the “Possible fix” link displayed in the warning details to navigate to the learning center section explaining the severity, implications, and possible ways to resolve the respective warnings.
Possible fix link for each warning
You can find more details about individual warnings by checking out the Security Warnings docs in our Learning Center. We plan to improve these warnings to cover a wider set of security checks and expand support to add validation features for other API description formats. For more details on how to get started with API security best practices, you can explore the Postman Security public workspace and stay tuned for updates via the Postman blog.
Postman provides a wide range of functions and features to assist with API development, testing, and collaboration. Here are some commonly used functions in Postman:
Creating and Managing Requests: Postman allows you to create API requests by specifying the request method, URL, headers, parameters, and body. You can manage and organize requests within collections, including creating folders, adding descriptions, and reordering requests.
Request and Response Visualization: Postman provides a user-friendly interface to view and analyze request and response data. It supports syntax highlighting for various data formats such as JSON, XML, and HTML, making it easier to understand and validate the data.
Environment and Variables: Postman allows you to define variables and environments. Variables enable you to store and reuse dynamic values across requests, making them flexible and easy to maintain. Environments provide sets of variables specific to different environments (e.g., development, staging, production).
Tests and Assertions: Postman supports writing test scripts using JavaScript for automated API testing. You can write assertions to validate response status codes, headers, response bodies, and more. Postman's testing framework allows you to assert and validate different aspects of API responses.
Pre-request Scripts: Postman enables you to execute scripts before sending API requests using pre-request scripts. These scripts can be used to dynamically generate values, manipulate data, or set variables based on specific conditions.
Collection Runner: The Collection Runner allows you to execute a series of requests in a collection. It enables you to perform data-driven testing by iterating over multiple sets of data or environments. You can configure iterations, delays, and data sources for more comprehensive testing.
Mock Servers: Postman allows you to create mock servers for simulating API responses without a live backend. Mock servers are useful during development, allowing frontend developers to work independently by providing simulated API responses.
Documentation Generation: Postman can automatically generate documentation for your APIs based on your requests and collections. It provides a simple way to share API specifications and details with stakeholders.
Collaboration and Teamwork: Postman offers collaboration features such as sharing collections, collaborating on requests, and commenting on specific requests or collections. It also supports version control integration to manage changes and updates effectively.
Integration and Automation: Postman integrates with various tools and services, including version control systems (e.g., Git), CI/CD platforms (e.g., Jenkins), and API management solutions. It provides options for integrating with these tools to automate API testing and deployment processes.
