Introducing Security Warnings During API Validation
At Postman, we’re committed to empowering the API-driven economy. Since our first release as a Google Chrome extension, we’ve studied the needs of our users and evolved the product to enable easier collaboration across stakeholders of the API lifecycle.
A key aspect of the API lifecycle management that we continue to focus on is API design. The design phase of the API lifecycle usually results in the creation of an API schema. By storing your API schemas in Postman, you can leverage a bunch of features of the API platform—such as the API Builder, API monitors, and API documentation. You can use Postman to quickly validate your API schema and identify if it conforms to the selected API description format.
Security warnings in API validation
We’ve now added the ability for you to view security warnings in the Define tab of an API alongside the validation errors flagged by Postman. You can access this by navigating to any API and choosing the Warnings tab as shown below:
Navigating to security warnings in the Define tab in Postman
Note: Security warnings are not to be confused with errors, meaning that security warnings will point out potential loopholes in your API schema that can compromise your API’s security posture. You can still use an API schema with no errors to communicate across stakeholders, as it still conforms to the selected API description format.
Security warnings will enable you to identify potential security misses early on in your API development lifecycle. You’ll now be able to tackle these security blind spots at the API design phase instead of identifying these blind spots after your API has been deployed in production. This will help you to institute a security-first approach during API development.
This feature has been enabled in Postman for APIs defined in the OpenAPI 3.0 format. After discovering security warnings for your API in the Define tab, you can also use the “Possible fix” link displayed in the warning details to navigate to the learning center section explaining the severity, implications, and possible ways to resolve the respective warnings.
Possible fix link for each warning
You can find more details about individual warnings by checking out the Security Warnings docs in our Learning Center. We plan to improve these warnings to cover a wider set of security checks and expand support to add validation features for other API description formats. For more details on how to get started with API security best practices, you can explore the Postman Security public workspace and stay tuned for updates via the Postman blog.