Using Cookies to Store Your Postman Secrets
0 likes1,126 views
The document discusses using cookies to securely store secrets and API keys in Postman. It describes storing encrypted values in cookies rather than environments to avoid exposing secrets. The code examples show how to get, set, and encrypt/decrypt values in cookies to use in Postman sessions and tests. Developers are advised to implement role-based access control, avoid sharing secrets publicly, and carefully manage what data is synced or exposed.
Using Cookies to Store Your Postman Secrets
- 1. Using Cookies to Store Your Postman Secrets Lightning Talk on February 4, 2021 Miguel A. Calles
- 2. We are testing the production environment. We want to test an API in a team collection. We enter our actual username and password. We complete the test and move on.
- 3. We make a collection public. We decide to make a "quick" change. We "temporarily" add an API key. We get a phone call from our boss.
- 4. Strong encryption at-rest and in-transit Postman Sessions Role-based access control (RBAC) Strong security program
- 5. Protect your account, installation, and computer Implement user roles with RBAC Use Postman Sessions Be careful what you share
- 6. Environments (obviously) have no encryption in-use Avoid syncing with Sessions Use cookies as a local data store
- 7. Done with the UI and scripts. Must carefully avoid setting Initial Value
- 8. Done with the UI and scripts Must whitelist domain
- 10. Principal Solutions and Security Engineer Published Author https://MiguelACallesMBA.com https://ServerlessSecurityBook.com https://www.linkedin.com/in/miguel-a-calles-mb a/
- 12. const cookieJar = pm.cookies.jar(); const cookieName = "xApiKey" const domain = "postman.galaxy.demo" cookieJar.get(domain, cookieName, (error, cookie) => { if (error) { console.error(error); pm.variables.set(cookieName, "error"); } if (cookie) { pm.variables.set(cookieName, cookie); } else { console.error("Cookie is missing") pm.variables.set(cookieName, "missing"); } });
- 14. // https://postman-quick-reference-guide.readthedocs. io/en/latest/libraries.html const cookieJar = pm.cookies.jar(); const sessionVarName = "xApiKey"; const cookieName = "secretKey"; const domain = "postman.galaxy.demo";
- 15. cookieJar.get(domain, cookieName, (error, secretKey) => { if (error) { console.error(error); pm.variables.set(sessionVarName, "error"); } if (secretKey) { // encryption const encryptedText = CryptoJS.AES.encrypt('<data-to-encrypt>', secretKey).toString(); console.log('encryptedText', encryptedText);
- 16. // decryption console.log('secretKey', secretKey); const xApiKeyEnc = pm.environment.get('x-api-key-enc'); console.log('xApiKeyEnc', xApiKeyEnc); const xApiKey = CryptoJS.AES.decrypt(xApiKeyEnc, secretKey).toString(CryptoJS.enc.Utf8); console.log('xApiKey', xApiKey); pm.variables.set(sessionVarName, xApiKey); } else { console.error("Cookie is missing") pm.variables.set(sessionVarName, "missing"); } });
- 17. Photo by krakenimages on Unsplash Photo by Sarah Kilian on Unsplash Photo by John Salvino on Unsplash Photo by Erika Fletcher on Unsplash Photo by Alexander Sinn on Unsplash Photo by Christina Branco on Unsplash Photo by Scott Sanker on Unsplash Photo by Markus Spiske on Unsplash