For me, Postman is maintaining the atlassian.xsrf.token and JSESSIONID which makes it impossible for me to simulate a âlogged offâ user⌠Iâd have to wait the session expire on the server to test my code!!!
Just wanted to link the two things together, here is the app-support ticket: https://github.com/postmanlabs/postman-app-support/issues/2689
This is a ridiculous decision.
How are we meant to test different caching strategies if Postman always sends a temporary cache-control header that disables caching?
JQuery.ajax() etc do not add this temporary header when loading a resource, even if the browser does so when performing a direct, address bar, request.
@girish.jaiswal has a work around, but it is couinterintuitive to add an empty header to remove the temporary header. This should just work out of the box.
I am having trouble sending requests to a third party admin endpoint. If copy out the curl and remove all the extra headings it works. Can we have a toggle to remove all temporary headers? It rather defeats the purpose of using your tool if I have to copy the request and curl it instead. 
I downloaded POSTMAN to have a client which is able to meticulously specify my request. Now I see itâs adding stuff under the hood automatically. I can see why itâs useful, but please consider an option to disable the default headers so we can troubleshoot our APIâs.
I donât understand what you guys were thinking when you started adding temporary headers to all curls. Itâs super annoying sending curl requests to other people now. And time is often wasted debugging why a curl is not working where the cause is always a temporary header like host or content length.
Hi @jeffpc1993 You should be able to share the Curl codes without any temporary headers using the - âNew Code generation modeâ
This is very annoying!!! I have disabled the above header settings and STILL there are Postman headers appearing. I have recreated the connection painstakingly with all the parameters and still those Postman headers are being sent across. Sorry, but this tool has become a lot worse since I started using it. Switching to Insomnia
Yay, Iâll join the line of people who just discovered why their API calls fail, because Postman adds some random stuff.
Seriously, no.
I donât understand how you got the idea to make this a default, non-changeable behaviour, and I absolutely donât understand how this issue can exist for more than half a year now, and nobody was able to include a âdisable all magic crapâ checkbox.
As a developer, I also donât see why you âneed to know more about thisâ and âunderstand the use casesâ. Postman is a tool. As such, it should not make assumptions and guesses about what might work best, but just do what it has been told to. Adding a switch to turn that behavior off canât be such a big deal (unless your code is a mess).
I thank you for offering this tool for free, it has helped me a lot in the past, but now has cost me many hours trying to figure out what was wrong, and as I see no intention here to fix this issue, Iâll have to leave Postman.
Thanks for those who mentioned Insomnia!
2 Likes
Donât add stuff I donât want. I am a developer.
+1, we need to create another request to bypass the old headers, thatâs stupid, why canât we delete them ?
1 Like
+1. I wasted a lot of time not realizing Postman was adding other cookies to my request. The scenario is the following: I was testing a request on this url:
https://model.api.mycompany.com/v1/blah-api
I sent some cookies with the request to test the authentication handshaking.
Turns out postman had access to cookies from the parent domain (captured from my browser maybe or from other requests? not sure but I never set these) on the PARENT domain mycompany.com and was sending them in the âtemporary headersâ section. These cookies were interfering with or hiding the cookies I was trying to send.
I figured out that you can go to the âManage cookiesâ dialog and delete cookies for each domain. However, my company has a lot of domains and subdomains so this list is very large. In this case, the domain is about half way down a list of like 30 domains. That means every time I do a request, I have to scroll down and search for this domain to see if any cookies are remembered. I canât seem to find a way to do any of the following to make it easier:
- Stop storing or sending cookies other than what Iâve specified in the request
- Stop remembering cookies or at least stop remembering for certain domains
- Delete all cookies from all domains
- A search function to find the domain in the âManage cookiesâ window so I can least find this domain easier
- Stop sending temporary headers, the subject of this thread
Just wanted to add my two cents here.
Freaking disable automatically adding headers!
Iâve found that useful approximately uh, 3 times. Out of 200+ requests. I was forced to use curl and write things the hard way out.
If Iâm trying to test some API, I donât want to find out that the only reason my API was working/broken in postman is because of invisible headers I didnât know was being sent. I wasted 2 days on this when I first discovered this âfeatureâ due to the unreliability of the data I had to utilize, which would randomly fail. I was new to http at the time which is why it took me so long.
Youâre trying to screw over inexperienced developers? Why?
Freaking make this optional! Even as a âdefault headersâ which can be expanded below âHeadersâ would be handy!
Not once did I ever thank Postman for sending these headers, when Iâm a developer trying to send valid http requests while controlling every single aspect it was not fun at all to discover I canât control this with Postman itself, and it hides itself. Almost maliciously.
Iâm leaving postman installed for one reason, and one reason only. Iâm hoping this insanity will be fixed. Because I canât use Postman otherwise for development.
Meanwhile, insomnia sounds like itâs going to be handy⌠Not as friendly a user interface maybe, but definitely not trying to screw its own users over by intentionally corrupting the data.
Btw, whats with Postman starting to get bloated with clutter? It used to be a simple toolâŚ
1 Like
Oh, oh, it sends the unresolved â{{access_token}}â string to the API 
Would be amazing to let users disable/enable Temporary Headers.
I understand that it may be difficult to change the current behavior, but please prioritize this, for the love of all thatâs holy! I need to be able to test how my application reacts to invalid input - I donât need to be âcorrectedâ by the tool I am using to generate said input and to be told that this is not what I should want after all.
I am reminded of the venerable Clippy assistant: âIt looks like you are trying to generate invalid requests, let me tell you what you should be really doing instead!â
+2 days wasted
⌠before discovering Google App Engine was rejecting Postmanâs HTTP requests because of ⌠Postman, not my code.
Postman now is an extremely heavyweight curl tutorial for me, clicking Code to see the equivalent curl command that will actually work, where Postman does not. Thanks I guess?
Hey everyone.
Take a look at this change we just released in our Canary builds.
We welcome any feedback you have on it.