Prevent syncing of confidential information

[samvpillay-landmark]

Is your feature request related to a problem? Please describe. Hopefully I have the below details correct, as this is my first time requesting a feature:

I have found the features available in the Postman desktop app for Windows have been usefully enhanced from creating an account and signing in. However, some of the data I am using contains confidential security information that would be against corporate policies to store in a location that has not been approved for use. Unfortunately, this seems to be an 'all or nothing' situation: https://support.postman.com/hc/en-us/articles/203492852-How-do-I-disable-Sync-

Describe the solution you'd like Allow disabling the sync of some items: e.g. certain workspaces, files, all environment files full stop or some useful option which is less drastic than deleting accounts.

Describe alternatives you've considered Deleting my Postman account: losing access to all features requiring an account and deleting local data started in the new workspaces, etc.

Additional context

[DannyDainton]

Hey @samvpillay

This is where the use of variables comes into play, extracting all the sensitive request information out to the Collection and adding them to only the Current Value we ensure that it will not be synced and only held in your local instance.

[samvpillay-landmark]

Hey @samvpillay

This is where the use of variables comes into play, extracting all the sensitive request information out to the Collection and adding them to only the Current Value we ensure that it will not be synced and only held in your local instance.

Hey @DannyDainton , thanks for the feedback. Just to check, does this relate to environment files, for Initial Value vs Current value? https://learning.postman.com/docs/sending-requests/variables/#defining-global-and-environment-variables

We have all of our sensitive and environment specific details outside collections \ inside environment files. This means our sensitive information is stored in the environment file Initial Values, which I presume are synced the cloud? The environment files are currently only stored in repos with restricted access, in our build\release pipelines or on developer machines for running locally.

To put this into context, our team has 60 environment files across all our APIs and environments. Some environment files contain multiple test user credentials to simulate multi-user flows, details for other forms of authentication, role based access checks, etc. Thanks, Sam

[acdha]

This is where the use of variables comes into play, extracting all the sensitive request information out to the Collection and adding them to only the Current Value we ensure that it will not be synced and only held in your local instance.

This seems to be an area where the documentation and UI could be substantially improved. What I'd like is to have one value pulled from my Mac's keychain at runtime, or at least loaded from my project's .envrc file or something similar, and never saved to the cloud service. Based on the documentation and UI, I can get close to this using a variable file with Newman but there's no way to do this in the Postman app short of using a local variable which has to be entered manually on every run or by logging out from the application, which will helpfully delete all of my data.

[flycal6]

As long as there's no toggle to completely disable sync, this program will not be allowed to be installed. Will this ever be added?

[mgadek007]

As long as there's no toggle to completely disable sync, this program will not be allowed to be installed. Will this ever be added?

Any news about this?

[Thomaxius]

Hoping to also hear some news regarding this. It is currently impossible to use Postman in a professional environment due to forced sync & enforced login.

[paulazavamed]

Thanks for raising this. I hope other people also raise their concerns on this. We would also hope this might be implemented and changed so we don't have confidential information "out there", otherwise we probably will need to migrate towards another solution.

[anna-bohatko]

Thanks for bringing this up. Hope there will be some solution found since we share similar concerns and probably will have to migrate to other tool.

[blackeyedtwin]

100%, may have to use another tool professionally because if the security risks associated with postman

[timbo05sec]

Another vote for the ability to prevent sync'ing to the cloud. Everyone, including Danny with Postman, seems to be focused solely on data disclosure through the environment variables and such. This is an issue, but Postman feels that their workarounds are sufficient to prevent data disclosure. I disagree, but based on all of Danny's posts around the Internet, Postman's view is they have this covered. However, the bigger issue, that I see few mentioning is that some (many) organizations cannot have their internal APIs published to the cloud. THIS issue prevents many from being able to use Postman going forward. I can no longer use the tool for my pentesting work with many of my clients due to the NDAs and the organization's security policies. I work with many organizations that have disallowed/prevented use of this valuable tool. We need a way to disable the sync, or I fear Postman use will dwindle significantly.

[DannyDainton]

With V11 of Postman, we have introduced the Postman Vault (https://learning.postman.com/docs/sending-requests/postman-vault/postman-vault-secrets/), which allows you to store your sensitive data in an encrypted local vault that is not synced with the Postman Cloud. Also, we have added multiple security features to help prevent accidental exposure of your API credentials.

[dgard1981]

The funny thing with the vault is that it obfuscates your sensitive data in some places (e.g. code snippet) but not others (e.g. in the console when a vault secret is all or part of the URL). The use of the vault also means that you'd have to manage your collections using a combination of the vault and environments, which is horribly inefficient when creating collections and very difficult to maintain.

The main issue with the vault though is that there is only one. Unlike environments, which can be application and environment specific, the vault is a dumping ground for everything. Consequently, the vault will become hard to manage and impossible to maintain.

I for one don't understand why Postman don't just add a feature that is clearly important to the user base - allow users to turn of the sync feature.