search

postmanlabs / postman-app-support

Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
https://www.postman.com
5.85k stars 839 forks source link

Feature Request: Security enhancements #11330

Open rmclaughlin-nelnet opened 2 years ago

rmclaughlin-nelnet commented 2 years ago

Is there an existing request for this feature?

Is your feature request related to a problem?

Postman is a great product but there are several security issues that make it challenging to use and keep secure.

  1. All initial values are synced to postman servers and all other users with no option to disable this ability. Knowing this I have put placeholder text in all the initial value fields telling other users not to use this field. This is a dumb way to over come a big security hole in postman. We need a way to disable the syncing of Initial Values that is more reliable.
  2. The Persist All button will copy over all my placeholder text and instead sync all our current values to initial values. There is no way to disable this button. No matter how much work I go through to secure our secrets and prevent the use of initial value, a careless user can, in one click, ruin everything. Solving the first problem will solve this, but lacking that we need a way to disable this button.
  3. In general Postman does not do any secret detection before syncing. This is a much needed feature. You should be looking a param names, values, etc to detect if something is a secret before you sync it and warn the user.

Describe the solution you'd like

Allow disabling the sync of initial values. This needs to be at the team or collection level so that each user does not have to do it on their own.

Describe alternatives you've considered

Putting place holder text in the initial value

Additional context

No response

giridharvc7 commented 2 years ago

@rmclaughlin-nelnet Can you help us understand the following

For #1 Current values are inherently not-synced to Postman servers - you can use these and even leave Initial values empty. Also when you say "All other users", are these users in your own org, or is this like a Public collection?

2 and #2 Yes, secret management is an important problem, we'll take this up as feedback

rmclaughlin-nelnet commented 2 years ago

1 this is a private collection, only users in our org. We are aware of the current values and how to use them, but because current values and initial values are right next to each other it is easy to accidentally put your value in the wrong one.

Our org has government regulations (PCI, FFIEC, etc) that we have to follow and postman is currently not authorized to store our secrets, if an accident happens we have to go through a change process, so it is very important that secrets do not make their way onto postman servers. With the current feature set this is hard to enforce because postman makes it so easy to make a mistake (accidentally put something in initial value, or click the persist all button, or even hard coding a secret in a request).

We are doing training to mitigate this, but some help, features to prevent this, from the postman team would be much appreciated.

DannyDainton commented 5 months ago

Hey @rmclaughlin-nelnet,

With V11 of Postman, we have introduced the Postman Vault (https://learning.postman.com/docs/sending-requests/postman-vault/postman-vault-secrets/), which allows you to store your sensitive data in an encrypted local vault that is not synced with the Postman Cloud. Also, we have added multiple security features to help prevent accidental exposure of your API credentials.