KEMBAR78
Using Cookies to Store Your Postman Secrets | PDF
Postman, profile picture
Uploaded byPostman
PDF, PPTX1,127 views

Using Cookies to Store Your Postman Secrets

The document discusses using cookies to securely store secrets and API keys in Postman. It describes storing encrypted values in cookies rather than environments to avoid exposing secrets. The code examples show how to get, set, and encrypt/decrypt values in cookies to use in Postman sessions and tests. Developers are advised to implement role-based access control, avoid sharing secrets publicly, and carefully manage what data is synced or exposed.

Download as PDF, PPTX
Using Cookies to Store Your Postman Secrets Lightning Talk on February 4, 2021 Miguel A. Calles
We are testing the production environment. We want to test an API in a team collection. We enter our actual username and password. We complete the test and move on.
We make a collection public. We decide to make a "quick" change. We "temporarily" add an API key. We get a phone call from our boss.
Strong encryption at-rest and in-transit Postman Sessions Role-based access control (RBAC) Strong security program
Protect your account, installation, and computer Implement user roles with RBAC Use Postman Sessions Be careful what you share
Environments (obviously) have no encryption in-use Avoid syncing with Sessions Use cookies as a local data store
Done with the UI and scripts. Must carefully avoid setting Initial Value
Done with the UI and scripts Must whitelist domain
Principal Solutions and Security Engineer Published Author https://MiguelACallesMBA.com https://ServerlessSecurityBook.com https://www.linkedin.com/in/miguel-a-calles-mb a/
const cookieJar = pm.cookies.jar(); const cookieName = "xApiKey" const domain = "postman.galaxy.demo" cookieJar.get(domain, cookieName, (error, cookie) => { if (error) { console.error(error); pm.variables.set(cookieName, "error"); } if (cookie) { pm.variables.set(cookieName, cookie); } else { console.error("Cookie is missing") pm.variables.set(cookieName, "missing"); } });
pm.variables.unset("xApiKey");
// https://postman-quick-reference-guide.readthedocs. io/en/latest/libraries.html const cookieJar = pm.cookies.jar(); const sessionVarName = "xApiKey"; const cookieName = "secretKey"; const domain = "postman.galaxy.demo";
cookieJar.get(domain, cookieName, (error, secretKey) => { if (error) { console.error(error); pm.variables.set(sessionVarName, "error"); } if (secretKey) { // encryption const encryptedText = CryptoJS.AES.encrypt('<data-to-encrypt>', secretKey).toString(); console.log('encryptedText', encryptedText);
// decryption console.log('secretKey', secretKey); const xApiKeyEnc = pm.environment.get('x-api-key-enc'); console.log('xApiKeyEnc', xApiKeyEnc); const xApiKey = CryptoJS.AES.decrypt(xApiKeyEnc, secretKey).toString(CryptoJS.enc.Utf8); console.log('xApiKey', xApiKey); pm.variables.set(sessionVarName, xApiKey); } else { console.error("Cookie is missing") pm.variables.set(sessionVarName, "missing"); } });
Photo by krakenimages on Unsplash Photo by Sarah Kilian on Unsplash Photo by John Salvino on Unsplash Photo by Erika Fletcher on Unsplash Photo by Alexander Sinn on Unsplash Photo by Christina Branco on Unsplash Photo by Scott Sanker on Unsplash Photo by Markus Spiske on Unsplash

More Related Content

PDF
Turn On The Lights
byPostman
 
PDF
Building Faster With Your Team's UI Kit
byAtlassian
 
PDF
Consumer-Driven Contract Testing With Postman
byPostman
 
PDF
Webinar: “Introduction to the Postman API Network”
byPostman
 
PDF
Common Security API Issues and How to Mitigate Them Using Postman
byPostman
 
PDF
How to Build a Micro-Application using Single-Spa
byRapidValue
 
PDF
Building Cloud-agnostic Serverless APIs
byPostman
 
PDF
Everything you always wanted to know about API Management (but were afraid to...
byMassimo Bonanni
 
Turn On The Lights
byPostman
 
Building Faster With Your Team's UI Kit
byAtlassian
 
Consumer-Driven Contract Testing With Postman
byPostman
 
Webinar: “Introduction to the Postman API Network”
byPostman
 
Common Security API Issues and How to Mitigate Them Using Postman
byPostman
 
How to Build a Micro-Application using Single-Spa
byRapidValue
 
Building Cloud-agnostic Serverless APIs
byPostman
 
Everything you always wanted to know about API Management (but were afraid to...
byMassimo Bonanni
 

What's hot

PPTX
A Starters Guide to Building APIs with Javascript
byAll Things Open
 
PPTX
Firebase
byShady Selim
 
PDF
Drive API Adoption: Reach Over 13 Million Developers
byPostman
 
PDF
Testing Your APIs: Postman, Newman, and Beyond
byPostman
 
PPTX
Everybody loves Swagger
byBizTalk360
 
PPTX
Postman Enterprise Webinar
byKin Lane
 
PDF
Postman Webinar: How Ping Identity Uses Postman across the API Lifecycle
byPostman
 
PDF
Progressive Web Apps by Millicent Convento
byDEVCON
 
PDF
The Journey from Monolith to Microservices: a Guided Adventure
byVMware Tanzu
 
PPTX
Firebase
byTriState Technology
 
PDF
Enterprise E-commerce Webinar Series, Episode 2: Deploying and Monitoring You...
byKin Lane
 
PDF
The Most Common Errors That Aren’t Caught
byNordic APIs
 
PDF
Driving Pipeline Automation With Newman and the Postman API
byPostman
 
PDF
API Security with Postman and Qualys
byPostman
 
PDF
Meteor js - TechPeaks Developers Meeting
byFrancesco Corazza
 
PDF
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
byMichael Kuehne-Schlinkert
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
byMatt Raible
 
PDF
Postman Webinar: "From APIs to Serverless Cloud Applications in Minutes"
byPostman
 
PPTX
Firebase Overview
byaashutosh kumar
 
PDF
Postman Galaxy Tour: San Francisco - Workshop Presentation
byPostman
 
A Starters Guide to Building APIs with Javascript
byAll Things Open
 
Firebase
byShady Selim
 
Drive API Adoption: Reach Over 13 Million Developers
byPostman
 
Testing Your APIs: Postman, Newman, and Beyond
byPostman
 
Everybody loves Swagger
byBizTalk360
 
Postman Enterprise Webinar
byKin Lane
 
Postman Webinar: How Ping Identity Uses Postman across the API Lifecycle
byPostman
 
Progressive Web Apps by Millicent Convento
byDEVCON
 
The Journey from Monolith to Microservices: a Guided Adventure
byVMware Tanzu
 
Firebase
byTriState Technology
 
Enterprise E-commerce Webinar Series, Episode 2: Deploying and Monitoring You...
byKin Lane
 
The Most Common Errors That Aren’t Caught
byNordic APIs
 
Driving Pipeline Automation With Newman and the Postman API
byPostman
 
API Security with Postman and Qualys
byPostman
 
Meteor js - TechPeaks Developers Meeting
byFrancesco Corazza
 
TDD for APIs in a Microservice World (Short Version) by Michael Kuehne-Schlin...
byMichael Kuehne-Schlinkert
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
byMatt Raible
 
Postman Webinar: "From APIs to Serverless Cloud Applications in Minutes"
byPostman
 
Firebase Overview
byaashutosh kumar
 
Postman Galaxy Tour: San Francisco - Workshop Presentation
byPostman
 

Similar to Using Cookies to Store Your Postman Secrets

PPT
Cookies and sessions
byLena Petsenchuk
 
PPTX
WORKING WITH IN COOKIES JAVA SEMINAR.pptx
bynandhini342004
 
PPTX
Working with in cookies java seminar.pptx
bynandhini342004
 
PPTX
Backend Technologies Notes ajef;asnfkndfdsa
byitsmepulkitsharma
 
PDF
Defcon 22-david-wyde-client-side-http-cookie-security
byPriyanka Aash
 
PPTX
cookie attributes and tokens,jwt tokens1.ppt
byShivakumarBejjenki1
 
PDF
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
byDavid Johansson
 
PDF
Getting Single Page Application Security Right
byPhilippe De Ryck
 
PDF
A Comprehensive Guide to Cookie Management Using HeadSpin's Cutting-Edge Remo...
bykalichargn70th171
 
PPTX
Cookies and sessions
bySukrit Gupta
 
Cookies and sessions
byLena Petsenchuk
 
WORKING WITH IN COOKIES JAVA SEMINAR.pptx
bynandhini342004
 
Working with in cookies java seminar.pptx
bynandhini342004
 
Backend Technologies Notes ajef;asnfkndfdsa
byitsmepulkitsharma
 
Defcon 22-david-wyde-client-side-http-cookie-security
byPriyanka Aash
 
cookie attributes and tokens,jwt tokens1.ppt
byShivakumarBejjenki1
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
byDavid Johansson
 
Getting Single Page Application Security Right
byPhilippe De Ryck
 
A Comprehensive Guide to Cookie Management Using HeadSpin's Cutting-Edge Remo...
bykalichargn70th171
 
Cookies and sessions
bySukrit Gupta
 

More from Postman

PDF
Advanced AI and Documentation Techniques
byPostman
 
PDF
WeTestAthens: Postman's AI & Automation Techniques
byPostman
 
PDF
Elevating Developer Experiences with AI-Powered API Testing & Documentation
byPostman
 
PDF
Discovering Public APIs and Public API Network with Postman
byPostman
 
PDF
Optimizing Teamwork: Harnessing Collections & Workspaces for Collaboration
byPostman
 
PDF
API testing Beyond the Basics AI & Automation Techniques
byPostman
 
PDF
Not Your Grandma’s Rate Limiting (slides)
byPostman
 
PDF
Five Ways to Automate API Testing with Postman
byPostman
 
PDF
How to Scale APIs-as-Product for Future Success
byPostman
 
PPTX
Revolutionizing API Development: Collaborative Workflows with Postman
byPostman
 
PDF
Everything You Always Wanted to Know About AsyncAPI
byPostman
 
PDF
Elevating Event-Driven World: A Deep Dive into AsyncAPI v3
byPostman
 
PDF
Five Things You SHOULD Know About Postman
byPostman
 
PDF
Integration-, Snapshot- and Performance-Testing APIs
byPostman
 
PDF
How ChatGPT led OpenAPI's Recent Spike in Popularity
byPostman
 
PDF
Exploring Postman’s VS Code Extension
byPostman
 
PDF
2023 State of the API Report: Key Findings and Trends
byPostman
 
PDF
Nordic- APIOps is here What will you build in an API First World
byPostman
 
PDF
Testing and Developing gRPC APIs
byPostman
 
PDF
Testing and Developing GraphQL APIs
byPostman
 
Advanced AI and Documentation Techniques
byPostman
 
WeTestAthens: Postman's AI & Automation Techniques
byPostman
 
Elevating Developer Experiences with AI-Powered API Testing & Documentation
byPostman
 
Discovering Public APIs and Public API Network with Postman
byPostman
 
Optimizing Teamwork: Harnessing Collections & Workspaces for Collaboration
byPostman
 
API testing Beyond the Basics AI & Automation Techniques
byPostman
 
Not Your Grandma’s Rate Limiting (slides)
byPostman
 
Five Ways to Automate API Testing with Postman
byPostman
 
How to Scale APIs-as-Product for Future Success
byPostman
 
Revolutionizing API Development: Collaborative Workflows with Postman
byPostman
 
Everything You Always Wanted to Know About AsyncAPI
byPostman
 
Elevating Event-Driven World: A Deep Dive into AsyncAPI v3
byPostman
 
Five Things You SHOULD Know About Postman
byPostman
 
Integration-, Snapshot- and Performance-Testing APIs
byPostman
 
How ChatGPT led OpenAPI's Recent Spike in Popularity
byPostman
 
Exploring Postman’s VS Code Extension
byPostman
 
2023 State of the API Report: Key Findings and Trends
byPostman
 
Nordic- APIOps is here What will you build in an API First World
byPostman
 
Testing and Developing gRPC APIs
byPostman
 
Testing and Developing GraphQL APIs
byPostman
 

Recently uploaded

PPTX
Integrated Billing, Accounting & Inventory Solution for MSMEs
byMoving Cloud
 
PPTX
Java Modern Puzzlers, a guide to new programming features
bySimon Ritter
 
PDF
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
PDF
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
PDF
Making sense of AWS Serverless operations- AWS Community Day CEE 2025
byVadym Kazulkin
 
PDF
898975372-Leaving-Legacy-Software-Behind-a-Modern-Migration-Roadmap.pdf
byKsoft Technologies
 
PDF
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
byyashpatric
 
PDF
The 50+ First-Timer: It’s never too late for Open Source!
byImma Valls Bernaus
 
PDF
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
PDF
Best Tableau Alternatives for Data Analytics and Reporting.pdf
byVarsha Nayak
 
PDF
The 50+ First-Timer: My OpenTelemetry Contribution and How Your CNCF Journey...
byImma Valls Bernaus
 
PDF
VADY Business Intelligence – Conversational AI Analytics for Every Team Witho...
byNewFangledVision
 
PPTX
Which Tableau Alternative Offers Better Customization and Embeddability.pptx
byVarsha Nayak
 
PDF
Metrics, logs, traces, and mayhem_ introducing an observability adventure gam...
byImma Valls Bernaus
 
DOCX
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
PDF
How can AI be used in Content Management Systems, Plone Conference 2025
byRob Gietema
 
PPTX
Financial Literacy for Software Developers
byBalanathanVirupasan
 
PPTX
Declarative Process Mining with MINERful, Reloaded
byCecilia Iacometta
 
PDF
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
PDF
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
Integrated Billing, Accounting & Inventory Solution for MSMEs
byMoving Cloud
 
Java Modern Puzzlers, a guide to new programming features
bySimon Ritter
 
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
Making sense of AWS Serverless operations- AWS Community Day CEE 2025
byVadym Kazulkin
 
898975372-Leaving-Legacy-Software-Behind-a-Modern-Migration-Roadmap.pdf
byKsoft Technologies
 
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
byyashpatric
 
The 50+ First-Timer: It’s never too late for Open Source!
byImma Valls Bernaus
 
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
Best Tableau Alternatives for Data Analytics and Reporting.pdf
byVarsha Nayak
 
The 50+ First-Timer: My OpenTelemetry Contribution and How Your CNCF Journey...
byImma Valls Bernaus
 
VADY Business Intelligence – Conversational AI Analytics for Every Team Witho...
byNewFangledVision
 
Which Tableau Alternative Offers Better Customization and Embeddability.pptx
byVarsha Nayak
 
Metrics, logs, traces, and mayhem_ introducing an observability adventure gam...
byImma Valls Bernaus
 
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
How can AI be used in Content Management Systems, Plone Conference 2025
byRob Gietema
 
Financial Literacy for Software Developers
byBalanathanVirupasan
 
Declarative Process Mining with MINERful, Reloaded
byCecilia Iacometta
 
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 

Using Cookies to Store Your Postman Secrets

  • 1.
    Using Cookies toStore Your Postman Secrets Lightning Talk on February 4, 2021 Miguel A. Calles
  • 2.
    We are testing theproduction environment. We want to test an API in a team collection. We enter our actual username and password. We complete the test and move on.
  • 3.
    We make acollection public. We decide to make a "quick" change. We "temporarily" add an API key. We get a phone call from our boss.
  • 4.
    Strong encryption at-restand in-transit Postman Sessions Role-based access control (RBAC) Strong security program
  • 5.
    Protect your account,installation, and computer Implement user roles with RBAC Use Postman Sessions Be careful what you share
  • 6.
    Environments (obviously) haveno encryption in-use Avoid syncing with Sessions Use cookies as a local data store
  • 7.
    Done with theUI and scripts. Must carefully avoid setting Initial Value
  • 8.
    Done with theUI and scripts Must whitelist domain
  • 10.
    Principal Solutions andSecurity Engineer Published Author https://MiguelACallesMBA.com https://ServerlessSecurityBook.com https://www.linkedin.com/in/miguel-a-calles-mb a/
  • 12.
    const cookieJar =pm.cookies.jar(); const cookieName = "xApiKey" const domain = "postman.galaxy.demo" cookieJar.get(domain, cookieName, (error, cookie) => { if (error) { console.error(error); pm.variables.set(cookieName, "error"); } if (cookie) { pm.variables.set(cookieName, cookie); } else { console.error("Cookie is missing") pm.variables.set(cookieName, "missing"); } });
  • 13.
  • 14.
    // https://postman-quick-reference-guide.readthedocs. io/en/latest/libraries.html const cookieJar =pm.cookies.jar(); const sessionVarName = "xApiKey"; const cookieName = "secretKey"; const domain = "postman.galaxy.demo";
  • 15.
    cookieJar.get(domain, cookieName, (error, secretKey)=> { if (error) { console.error(error); pm.variables.set(sessionVarName, "error"); } if (secretKey) { // encryption const encryptedText = CryptoJS.AES.encrypt('<data-to-encrypt>', secretKey).toString(); console.log('encryptedText', encryptedText);
  • 16.
    // decryption console.log('secretKey', secretKey); constxApiKeyEnc = pm.environment.get('x-api-key-enc'); console.log('xApiKeyEnc', xApiKeyEnc); const xApiKey = CryptoJS.AES.decrypt(xApiKeyEnc, secretKey).toString(CryptoJS.enc.Utf8); console.log('xApiKey', xApiKey); pm.variables.set(sessionVarName, xApiKey); } else { console.error("Cookie is missing") pm.variables.set(sessionVarName, "missing"); } });
  • 17.
    Photo by krakenimageson Unsplash Photo by Sarah Kilian on Unsplash Photo by John Salvino on Unsplash Photo by Erika Fletcher on Unsplash Photo by Alexander Sinn on Unsplash Photo by Christina Branco on Unsplash Photo by Scott Sanker on Unsplash Photo by Markus Spiske on Unsplash