Developers spend a lot of time debugging and manually testing APIs. Unsurprisingly, according to the 2020 State of the API Report by Postman, developers also feel like they should spend less time debugging (ideal state: 10.75%) than they actually do (existing state: 17%) while working with APIs. We’ve heard this loud and clear from Postman users, and that’s why we’re always working to make API testing and debugging faster for you.
Postman’s proxy is a good example: It lets you capture traffic and debug your APIs easily, whether on your local environment or a remote one. Capturing HTTP traffic works well to help with the debugging process—check out an earlier blog post that explains how you can capture requests made from mobile devices. However, flows with requests made over HTTPS (especially to hosts with HSTS enabled) traditionally haven’t been as smooth. But today, that changes: We’re happy to fulfill a long-standing feature request from our community by fully supporting HTTPS traffic in addition to HTTP traffic.
How HSTS is different
HSTS, or HTTP Strict Transport Security, is a web standard that forces web browsers and other clients to only let traffic through if the SSL certificate can be verified. This is critical to prevent the exploitation of users from man-in-the-middle attacks. According to a source, 19.3% of websites use HSTS. Without HSTS enabled, some browsers give users the option of proceeding after showing a warning; that loophole is closed when websites implement HSTS. However, this poses a problem for tools that are meant to inspect traffic flowing over the wire. For the client applications (browsers, in many cases) to continue to trust their response, they need to trust Postman’s certificate authority.
Often, local development happens without HTTPS, so the problem mentioned above is a non-issue. However, if you’re testing APIs on a remote environment or those of third-party providers like Google, there’s no way to opt out of HSTS. And with the new capability we’re announcing today, Postman now addresses this scenario.
Tutorial: Postman’s HSTS (HTTPS) Support
To capture traffic for HSTS endpoints, you’ll need to install the self-signed root CA (Certificate Authority) certificate generated by Postman. Check our documentation for details on how to do this. The CA certificate tells your system or browser that Postman is a valid issuer of certificates (similar to Verisign, Comodo, and Let’s Encrypt). When Postman’s proxy encounters a request to a new HTTPS domain, it’ll create an SSL certificate on the fly. This lets your browser consume the endpoint’s response without showing a security warning.
Here are the steps to capture traffic if you’re on OSX:
- Navigate to ~/Library/Application Support/Postman/proxy
- Double-click on postman-proxy-ca.crt
- Choose “System” from the keychain option
- Click on the imported Postman certificate, and when the following window pops-up
- Click the “Always Trust” button
- Select Always Trust only for Secure Sockets Layer (SSL)
You’re now all set to capture traffic in Postman, even if it has HSTS enabled. This capability enables you to:
Check all API calls that are being made between the client and the server, and save these into Postman’s history or a specific collection.
- Use these captured requests to build and publish documentation or mock servers without needing to manually author requests.