API Security Checking below Enterprise Level

rhopper2020 · January 26, 2023, 4:40pm

The Postman Intergalactic webinar of 1/25/23 indicated that anyone can use the Security API Check, even the free license. You just can’t add custom rules unless you have an Enterprise license.

However, the Rules tab does not even display for the free license, so it seems this is not the case. We have submitted a budget request for the Basic License, but it seems that most Security functionality is for the Enterprise level only.

The webinar provided this blog post link with instructions for free license users. It requires use of a third-party tool which I will have to research and make a case to have it whitelisted to install:
OWASP ZAP. API Security Testing With Postman and OWASP Zap – The Test Therapist

So, in reality Postman does not provide API Security Testing to free accounts, without a third-party tool which involves taking additional security risks. I don’t know if it is even provided for Basic Accounts. This should be made more clear.

skyroamofghostviper · November 2, 2023, 7:29am

As far as I get it, in this example Postman is only used to add the API endpoints (based on the requests from collection) to OWASP ZAP and then the actual security testing/scanning is done by ZAP.

system · December 12, 2024, 12:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

natalie-doche · August 12, 2025, 10:56pm

Hi @rhopper2020 – I wanted to follow up here!

While the Security API Check with custom rules isn’t the only way to protect your APIs, Postman includes several built-in security measures available to all users (even on Free!). From the moment you sign up, our platform is designed to help you reduce risk and protect sensitive data:

Secret Scanning – Proactively scans your workspaces, documentation, and connected repos for exposed credentials before collections are made public, and alerts you immediately if something is found.
Postman Local Vault – Stores credentials locally on your machine and never syncs them to the cloud, so even workspace admins can’t access them. The vault clears automatically on sign-out.
Best Practices Guidance – Built-in recommendations, like reviewing collections before publishing, avoiding saving auth headers by default, and keeping sensitive work private.

You can find more details on these features and our secure-by-design approach in this blog from our Head of Security, Sam Chehab: Postman (Free) is secure by design

Topic		Replies	Views
Webinar: API Security Testing within Postman Help Hub collections , security , testing	2	1089	December 12, 2024
REST API Security Testing using Postman Help Hub tests , variables , collections , postman-flows	1	171	December 19, 2024
Stop Exposing Secrets! Secure Your APIs in Postman Like a Pro Help Hub tests , collections , security , authentication , workspaces , public-workspace	2	935	August 27, 2025
How Secure Are Your APIs in Postman? Help Hub variables , security , authentication , api-security , vault , secret-scanner	1	271	April 10, 2025
[Blog] API Security Testing using AI in Postman Learning Lab blog , api-security , postbot	2	700	January 15, 2025

API Security Checking below Enterprise Level

Related topics