Disable Temporary Headers

For me, Postman is maintaining the atlassian.xsrf.token and JSESSIONID which makes it impossible for me to simulate a “logged off” user… I’d have to wait the session expire on the server to test my code!!!

Just wanted to link the two things together, here is the app-support ticket: https://github.com/postmanlabs/postman-app-support/issues/2689

Link Here

Your link didn’t work for me. I tracked it down though.

1 Like

This is a ridiculous decision.

How are we meant to test different caching strategies if Postman always sends a temporary cache-control header that disables caching?
JQuery.ajax() etc do not add this temporary header when loading a resource, even if the browser does so when performing a direct, address bar, request.

@girish.jaiswal has a work around, but it is couinterintuitive to add an empty header to remove the temporary header. This should just work out of the box.

Hey @martin.graney,

The cache-control header can be disabled from the settings:


I am having trouble sending requests to a third party admin endpoint. If copy out the curl and remove all the extra headings it works. Can we have a toggle to remove all temporary headers? It rather defeats the purpose of using your tool if I have to copy the request and curl it instead. :frowning:

I downloaded POSTMAN to have a client which is able to meticulously specify my request. Now I see it’s adding stuff under the hood automatically. I can see why it’s useful, but please consider an option to disable the default headers so we can troubleshoot our API’s.

I don’t understand what you guys were thinking when you started adding temporary headers to all curls. It’s super annoying sending curl requests to other people now. And time is often wasted debugging why a curl is not working where the cause is always a temporary header like host or content length.

Hi @jeffpc1993 You should be able to share the Curl codes without any temporary headers using the - “New Code generation mode

This is very annoying!!! I have disabled the above header settings and STILL there are Postman headers appearing. I have recreated the connection painstakingly with all the parameters and still those Postman headers are being sent across. Sorry, but this tool has become a lot worse since I started using it. Switching to Insomnia

Yay, I’ll join the line of people who just discovered why their API calls fail, because Postman adds some random stuff.
Seriously, no.
I don’t understand how you got the idea to make this a default, non-changeable behaviour, and I absolutely don’t understand how this issue can exist for more than half a year now, and nobody was able to include a “disable all magic crap” checkbox.
As a developer, I also don’t see why you “need to know more about this” and “understand the use cases”. Postman is a tool. As such, it should not make assumptions and guesses about what might work best, but just do what it has been told to. Adding a switch to turn that behavior off can’t be such a big deal (unless your code is a mess).

I thank you for offering this tool for free, it has helped me a lot in the past, but now has cost me many hours trying to figure out what was wrong, and as I see no intention here to fix this issue, I’ll have to leave Postman.

Thanks for those who mentioned Insomnia!


Don’t add stuff I don’t want. I am a developer.

+1, we need to create another request to bypass the old headers, that’s stupid, why can’t we delete them ?

1 Like

+1. I wasted a lot of time not realizing Postman was adding other cookies to my request. The scenario is the following: I was testing a request on this url:

I sent some cookies with the request to test the authentication handshaking.

Turns out postman had access to cookies from the parent domain (captured from my browser maybe or from other requests? not sure but I never set these) on the PARENT domain mycompany.com and was sending them in the “temporary headers” section. These cookies were interfering with or hiding the cookies I was trying to send.

I figured out that you can go to the “Manage cookies” dialog and delete cookies for each domain. However, my company has a lot of domains and subdomains so this list is very large. In this case, the domain is about half way down a list of like 30 domains. That means every time I do a request, I have to scroll down and search for this domain to see if any cookies are remembered. I can’t seem to find a way to do any of the following to make it easier:

  • Stop storing or sending cookies other than what I’ve specified in the request
  • Stop remembering cookies or at least stop remembering for certain domains
  • Delete all cookies from all domains
  • A search function to find the domain in the “Manage cookies” window so I can least find this domain easier
  • Stop sending temporary headers, the subject of this thread :smiley:

Just wanted to add my two cents here.

Freaking disable automatically adding headers!

I’ve found that useful approximately uh, 3 times. Out of 200+ requests. I was forced to use curl and write things the hard way out.

If I’m trying to test some API, I don’t want to find out that the only reason my API was working/broken in postman is because of invisible headers I didn’t know was being sent. I wasted 2 days on this when I first discovered this “feature” due to the unreliability of the data I had to utilize, which would randomly fail. I was new to http at the time which is why it took me so long.

You’re trying to screw over inexperienced developers? Why?

Freaking make this optional! Even as a “default headers” which can be expanded below “Headers” would be handy!

Not once did I ever thank Postman for sending these headers, when I’m a developer trying to send valid http requests while controlling every single aspect it was not fun at all to discover I can’t control this with Postman itself, and it hides itself. Almost maliciously.

I’m leaving postman installed for one reason, and one reason only. I’m hoping this insanity will be fixed. Because I can’t use Postman otherwise for development.

Meanwhile, insomnia sounds like it’s going to be handy… Not as friendly a user interface maybe, but definitely not trying to screw its own users over by intentionally corrupting the data.

Btw, whats with Postman starting to get bloated with clutter? It used to be a simple tool…

Oh, oh, it sends the unresolved “{{access_token}}” string to the API :sob:

Would be amazing to let users disable/enable Temporary Headers.

Trust me. I don’t need this header. I am a developer. LET ME DISABLE IT!

1 Like

I understand that it may be difficult to change the current behavior, but please prioritize this, for the love of all that’s holy! I need to be able to test how my application reacts to invalid input - I don’t need to be “corrected” by the tool I am using to generate said input and to be told that this is not what I should want after all.

I am reminded of the venerable Clippy assistant: “It looks like you are trying to generate invalid requests, let me tell you what you should be really doing instead!”

1 Like

+2 days wasted

… before discovering Google App Engine was rejecting Postman’s HTTP requests because of … Postman, not my code.

Postman now is an extremely heavyweight curl tutorial for me, clicking Code to see the equivalent curl command that will actually work, where Postman does not. Thanks I guess?

1 Like

Hey everyone.
Take a look at this change we just released in our Canary builds.

We welcome any feedback you have on it.