When Postman’s proxy encounters a request to a new HTTPS domain, it’ll create an SSL certificate on the fly. The CA certificate tells your system or browser that Postman is a valid issuer of certificates (similar to Verisign, Comodo, and Let’s Encrypt). Check our documentation for details on how to do this. To capture traffic for HSTS endpoints, you’ll need to install the self-signed root CA (Certificate Authority) certificate generated by Postman. And with the new capability we’re announcing today, Postman now addresses this scenario. However, if you’re testing APIs on a remote environment or those of third-party providers like Google, there’s no way to opt out of HSTS. Often, local development happens without HTTPS, so the problem mentioned above is a non-issue. For the client applications (browsers, in many cases) to continue to trust their response, they need to trust Postman’s certificate authority. However, this poses a problem for tools that are meant to inspect traffic flowing over the wire. Without HSTS enabled, some browsers give users the option of proceeding after showing a warning that loophole is closed when websites implement HSTS. According to a source, 19.3% of websites use HSTS. This is critical to prevent the exploitation of users from man-in-the-middle attacks. HSTS, or HTTP Strict Transport Security, is a web standard that forces web browsers and other clients to only let traffic through if the SSL certificate can be verified. But today, that changes: We’re happy to fulfill a long-standing feature request from our community by fully supporting HTTPS traffic in addition to HTTP traffic. However, flows with requests made over HTTPS (especially to hosts with HSTS enabled) traditionally haven’t been as smooth. Capturing HTTP traffic works well to help with the debugging process-check out an earlier blog post that explains how you can capture requests made from mobile devices. Postman’s proxy is a good example: It lets you capture traffic and debug your APIs easily, whether on your local environment or a remote one. We’ve heard this loud and clear from Postman users, and that’s why we’re always working to make API testing and debugging faster for you. Unsurprisingly, according to the 2020 State of the API Report by Postman, developers also feel like they should spend less time debugging (ideal state: 10.75%) than they actually do (existing state: 17%) while working with APIs. Developers spend a lot of time debugging and manually testing APIs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |