Postman’s Proxy Now Fully Supports HTTPS Endpoints

Developers spend a lot of time debugging and manually testing APIs. Unsurprisingly, according to the 2020 State of the API Report by Postman, developers also feel like they should spend less time debugging (ideal state: 10.75%) than they actually do (existing state: 17%) while working with APIs. We’ve heard this loud and clear from Postman users, and that’s why we’re always working to make API testing and debugging faster for you.

Postman’s proxy is a good example: It lets you capture traffic and debug your APIs easily, whether on your local environment or a remote one. Capturing HTTP traffic works well to help with the debugging process—check out an earlier blog post that explains how you can capture requests made from mobile devices. However, flows with requests made over HTTPS (especially to hosts with HSTS enabled) traditionally haven’t been as smooth. But today, that changes: We’re happy to fulfill a long-standing feature request from our community by fully supporting HTTPS traffic in addition to HTTP traffic.

How HSTS is different

HSTS, or HTTP Strict Transport Security, is a web standard that forces web browsers and other clients to only let traffic through if the SSL certificate can be verified. This is critical to prevent the exploitation of users from man-in-the-middle attacks. According to a source, 19.3% of websites use HSTS. Without HSTS enabled, some browsers give users the option of proceeding after showing a warning; that loophole is closed when websites implement HSTS. However, this poses a problem for tools that are meant to inspect traffic flowing over the wire. For the client applications (browsers, in many cases) to continue to trust their response, they need to trust Postman’s certificate authority.

Often, local development happens without HTTPS, so the problem mentioned above is a non-issue. However, if you’re testing APIs on a remote environment or those of third-party providers like Google, there’s no way to opt out of HSTS. And with the new capability we’re announcing today, Postman now addresses this scenario.

Tutorial: Postman’s HSTS (HTTPS) Support

To capture traffic for HSTS endpoints, you’ll need to install the self-signed root CA (Certificate Authority) certificate generated by Postman. Check our documentation for details on how to do this. The CA certificate tells your system or browser that Postman is a valid issuer of certificates (similar to Verisign, Comodo, and Let’s Encrypt). When Postman’s proxy encounters a request to a new HTTPS domain, it’ll create an SSL certificate on the fly. This lets your browser consume the endpoint’s response without showing a security warning.

Here are the steps to capture traffic if you’re on OSX:

  • Navigate to ~/Library/Application Support/Postman/proxy
  • Double-click on postman-proxy-ca.crt
  • Choose “System” from the keychain option
  • Click on the imported Postman certificate, and when the following window pops-up
    • Click the “Always Trust” button
    • Select Always Trust only for Secure Sockets Layer (SSL)
Postman proxy certificate
Postman proxy certificate permissions

You’re now all set to capture traffic in Postman, even if it has HSTS enabled. This capability enables you to:

  1. Check all API calls that are being made between the client and the server, and save these into Postman’s history or a specific collection.

  2. Use these captured requests to build and publish documentation or mock servers without needing to manually author requests.

What do you think about this feature? Tell us in a comment below. You can also give product feedback through our Community forum or GitHub repository

Comment

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

10 thoughts on “Postman’s Proxy Now Fully Supports HTTPS Endpoints

    I just installed postman since my Fiddler has stopped capturing requests for some reason.
    I want to capture http and https traffic on my mac for backend development needs
    The MAC installed Postman application refers me to this section “Tutorial: Postman’s HSTS (HTTPS) Support” in this article.
    The instruction say: go to “Navigate to ~/Library/Application Support/Postman/proxy” yet in my case the Postman folder and the certificate is not there.
    So how to generate it?.. looking at the articale it say: “To capture traffic for HSTS endpoints, you’ll need to install the self-signed root CA (Certificate Authority) certificate generated by Postman. Check our documentation for details on how to do this.” which goes to a broken link.
    I am very frustrated with getting Postman on Mac to work. Not finding anything useful on Youtube with most guides going to the web version.
    How do I generate the above certificate?
    This article refers to

      Hi Werner, The documentation link looks to be working now and is here. If you still need help, please contact our support team at http://www.postman.com/support, and they’ll be glad to help you.

    postman-proxy-ca.crt does not exist at C:\Users\AppData\Roaming\Postman\proxy, or anywhere else. There is no instruction on how to generate or download this certificate if it doesn’t exist

    In my case for HTTPS requests, I am getting ERR_TIMED_OUT. No https requests are getting recorded.

    SSL certificate not trusting in android devices. But this is working in windows and other devices as well.

    Following this documentation https://learning.postman.com/docs/sending-requests/capturing-request-data/capturing-http-requests/#capture-https-traffic-with-postmans-built-in-proxy. I am enable to capture HTTP endpoint by using Mac proxy and an Android device. But I can’t capture any HTTPS endpoints. Any troubleshoot? I have choose ‘Always Trust’ for all the option in the Postman Proxy CA.

    This appears to work ok for capturing https requests from a browser app running on the same computer as the Postman app (after following CRT installation instructions). But it does not work when trying to proxy HTTPS request from a device through the Postman app on a wifi connected computer (Mac in my case). It would be nice to see an article that explained all the intricacies of doing this from a device. Thx.

    Is there a way to correctly install this certificate on Android? Most of sites which I try to open through browser fail with “ERR_CERT_AuTHORITY_INVALID” and apps mostly show “Can’t connect to the internet” messsage