Security and Compliance: A Shared Responsibility Model
We also have a list of recommended best practices of designing and developing using Postman when dealing with PIIs and PHIs
Different Postman plans have different security features. See the Postman Security Features guide to learn more about them.
- Always make API calls over TLS (and other secure protocols.) and do not disable client-side SSL validations.
- Avoid disabling SSL certificate validations for Postman Monitors.
- Follow secure coding practices within scripts run as part of collections by not accidentally sending PIIs and PHIs to systems that are not supposed to receive them.
- Have a peer review process of critical collections and merge changes to such collection using Postman’s collection fork and merge feature.
- Enable SSO based login and disable password based login. Enable 2FA on your SSO identity provider.
- To test APIs behind a whitelisted restricted firewall, Postman provides the option to monitor APIs from a static IP address. Use it to additionally restrict access to your critical network connected systems that has PIIs or PHIs.
- If you suspect your account has been compromised, please remove the affected user account. If you suspect an API Key has been compromised, revoke access to the same from the dashboard.