Our company (which has close to 5000 employees, all employees were banned from using postman with immediate effect after all data storage was forcibly moved to the cloud, as this violates our corporate security policy.
Too bad - as Postman was a very good solution. We’re now seeking other solutions for our automated testing purposes. Good bye Postman.
The lightweight client is clearly designed to be useless if you have a decently sized collection.
Relying on the “current value” field is clearly not an option in a company that can’t risk leaking secrets to someone else’s server.
Too bad we have to find a new client… So long and thanks for all the fish!
Hey Mike, thanks for the comment.
I totally agree that there is a shared responsibility to prevent sensitive data on user’s local machines from being uploaded to a server. I don’t believe Postman has taken enough responsibility to ensure this.
If users have used your product in a certain way historically, for example by following “bad practices”, and they’ve run into no issues, they’re not going to change their behaviour. Now if you come in as the service provider, and change the consequences of those bad practices from “you should probably store sensitive stuff here” to “everything you did not store here has now been sent to our servers”, it is your responsibility as the service provider to create the safe guards necessary to facilitate this change.
I can appreciate Postman wanting to improve development velocity. I have no issues with the changes they’ve made from that perspective. But product changes are not made with just development in mind. It would be a little too charitable to not acknowledge the business benefits of locking much of your functionality behind an online mode.
I am with Mike above. I spent a great deal of time working on collections and tests throughout the years, and I am restricted from using PostMan sign-in by security, so this once useful tool is non-functional and I must find an alternative if this application cannot be rolled back.
Is there a way to install an older version and keep it from upgrading and just stay on the old tool?
Same - our company has now banned the use of Postman for all developers today based on this update. Very unfortunate decision on Postman’s side as I’ve been a Postman user for many years.
5000 employees using Postman free tier and you expect there to be no issues or changes down the line?.. that’s funny!
Our company reviewed the situation and agreed the risks were negligible for how we utilise the tool… But if they chose to stop us using it, you wouldn’t find me crying about it on here, I would be speaking to, and working with the decision-makers at work to sway their opinion on usage etc.
If the tool is that useful to you, and used by that many employees within your respective companies, why not consider paying for the tool? or at least discuss your options with Postman? Believe it or not, they’re very approachable. … Plus you’d get all the added benefits if you actually paid for it, including security features!
I was always taught, “Nothing good in life is free”… So best of luck to you all in finding an alternative that stays free to use forever!
For companies that are conscious on its security practices, especially those who require SOC2 certification, they will definitely not allow their employees to use Postman as it requires the employee’s self restrain to not accidentally upload sensitive credentials to Postman servers. Especially when this is as easy as doing Cmd+S (in contrast, uploading secrets to Git requires explicit commit & push), the chances that a sensitive credential be leaked is high.
On top of that, most employees will have used Postman for the past X years and have been assuming that everything in Postman is local. I was always taught, “It is hard to change people overnight”.
I just want to add to this by requesting a paid for offline only version, I would be more than glad to pay for it but as far as I can tell this option does not exist.
Sharing the link to our Security and Trust portal again where you can download our SOC2 report and all the other Regulatory Compliance and Standards that we hold.
More direct security concerns can be sent to either [email protected] or [email protected].
I don’t tend to use the term “best practice” as that suggests there are no better ones. I firmly believe in good practices in a given context though.
That is one suggestion that you could follow, to edit your JSON files and remove the sensitive data, before Imported them again. There will also be others.
We also have this site available, if you did want to research the Collections Schema format.
The whole topic is around security practices and storage of data. The links I provide related to the topic.
If you have specific concerns that you’d like to raise, which have not been addressed in the links posted or the answers provided on the thread - Please reach out to us on [email protected].
If the words that I used came across as insulting, that was never my intention. Insults and name calling get people absolutely nowhere so that’s no something I would do. I personally apologize if the words I used, made you feel that way.
To respond to questions you posted:
Can you elaborate on what you mean by “There is also nothing forcing users to sign up to a free account”. Of course this is technically true. But isn’t it also true that you can no longer use collections without creating an account?
There isn’t a lot to elaborate on in that sentence. No user is being forced to create a new Postman account (You actually already have one by choosing to post on this forum). Your data is still accessible by you without one. You would require one in order to Import or Migrate your data, to continue to use the platform though. We would LOVE for you to continue to use Postman and all the features we provide, the choice or decision to do so needs to be the right one for you though.
If I have hundreds of collections that I’ve been using and one day they all disappear, isn’t there a very large pressure on me to sign up for an account?
No data disappeared anywhere, it’s always been there for you to access and take the necessary action that you feel is the right thing to do, for you and your context.
Or are you saying there is some way for users of the lightweight API client to still use collections?
There has never been any mention of this being the case on this topic, the thread or any of the posts that we have published.
Hey Luca ,
You can submit feature requests here, on our public issue tracker.
Any other issues that you’re facing relating to this topic can be raised by reaching out to us on [email protected].
Hi Danny,
I’m sure you are seeing an influx of publicly facing workspaces over the past week or two. While it is true developers should be understanding the changes happening with the applications they leverage, I think you’ll also agree this rollout strategy does not clearly communicate in-app the consequences of taking the steps to get Collections up and running again.
This seems like a wonderful new attack vector for bad actors to exploit. It took me a few minutes to find a username and password being stored in a POST request. Do you think they are aware their workspace is public?
The unfortunate thing here is the users most likely to set up their collections wrong are the ones most likely to be incorrectly storing secrets and other confidential information.
Are you talking about someone else’s data, being displayed in a Public Workspace, that you found?
If you are, that wouldn’t be the same thing as someone moving their data from the Scratchpad to a Workspace. If they have only used Postman in an offline state, they wouldn’t have any Public Workspaces to choose from in the list, when migrating the data.
I just want to clear that up before going any further. Can you expand on that please.
Sorry if the message I replied to is confusing the context of my message.
Yes, I am keeping the subject focused on the topic of the original post, the fact that Postman has taken away the ability to store and manage collections locally, forcing them to upload to the cloud as part of that process. I am pointing out the risk this change introduces.
While confirmation has already been given in this discussion that this is the only option users are provided with to continue using collections, I’m just highlighting the security vulnerability this decision is actively causing.
Most users are not going to read a blog post. People are going to discover their collections are gone, realize they can’t get their work done, and they are going to create an account without paying attention to the consequences of doing so. They will then immediately migrate their scratch pad to a collection, syncing their data to the cloud, whether its in a proper state to do so.
They are then one mouse click away from sharing it publicly, and the ones that are most likely to make that mistake are ones that are likely following poor procedures for storing their credentials.
As an example, I am just pointing out it took mere minutes of browsing public workspaces to find sensitive data clearly not meant to be public, and these users would never be introducing data breaches to their organizations if they didn’t have this update forced on them. If security blogs aren’t talking about this currently, I imagine these will be shortly.
Is this really Postman’s problem? Technically no, but it feels like this is a fairly reckless change that hackers will enjoy for the next few weeks as things convert over.
From a new user signing up to a free account for the first time - You will only have a single Personal Workspace. If at this point you Migrate or Import your data, it can only go into that Personal Workspace.
From here, if you decided to change the visibility of that Workspace, to a Public Workspace using the Workspace Settings menu, you will first see a message telling you that all the data will be Public and also as it’s the first time making it Public you will need to make your profile public too.
If you were creating a new Workspace and decided that needs to be Public, you will see a similar message in the creation flow.
We also have warning messages if users are trying to move elements into a Public Workspace.
With all of these different warnings and messages in place throughout different parts of the platform, people still have the choice to click the button anyway.
There are not many places that are 1 click in the platform and in terms on making things Public, you’d need to also choose to ignore the messages stating that the data will be Public.
At different licence tiers, we have Governance and Role Based Access features over who can make elements Public, these actions go through a review process and only users with a certain role can approve those changes.
We also have a configurable Secret Scanner that will highlight and block users from publically leaking sensitive data from the Collections, as well as a number of other security and governance features.
Would you agree with me that it is bad practice to store sensitive credentials on Postman’s servers?
If so, would you also agree with me that it takes 1 “Save” to expose the sensitive credentials? I think this is what @flight-saganist-6965 is alluding to.
I agree with your concern. To clarify further I may have sensitive data provided to me that I am not allowed to share or store ANYWHERE else besides on our network. Now Postman is forcing me to store sensitive data on Postman’s servers which was not the case previously. Is my understanding correct?
Hey @rjg4242
No user is being forced to create a new Postman account (You actually already have one by choosing to post on this forum) or store your data in Postman. The choice or decision to do so needs to be the right one for you.
If you feel this isn’t right for you in your context - Your data can be Exported using the ⚙️ > Settings > Data > Export data
option.
Any other issues that you’re facing relating to this topic can be raised by reaching out to us on [email protected].
Yep we have just mandated to stop using Postman in our company. As another post said earlier we would be happy to pay for an on-premise solution but we are not going to have these details stored to the cloud. This has not been thought through. What are you trying to achieve? Syncing data from the cloud I see as having zero benefit to me. So it must be a benefit to postman. Seems like a ham-fisted approach to generate $$$