The Limitations of Postman
Postman has a loyal following of over a million ‘developers’… all of which I plan to make very angry right now. Why? Because Postman is a VERY limited application for testing.
It is not an IDE, it is not a platform (contrary to how it promotes itself). It is LITERALLY a testing tool and ONLY for FRONTEND.
And before you start writing that ANGRY RESPONSE… listen as to why..
Bad CI/CD
Postman excels for testing for FRONTEND DEVELOPERS … but it has no real application beyond that. Postman is quite literally a UI for a tool that has existed for twice the amount of time Postman has (easily)… CURL. CURL can be used in scripting, Continuous Integration/testing/development (literally all devops) while Postman cannot (not without adding an additional server to your local environment). And while people LOVE using ‘collections’, these are merely MOCKDATA used for testing. An entire generation of FRONTEND DEVELOPERS now think this is the way to do CI/CD and cannot do proper testing.
Poor Understanding of Security
People become more reliant on tools and less on their understanding of how protocols work; they allow the tools to have the understanding rather than the software developer. As such, they themselves lack a basic level of security understanding.
- to not store application tokens in repository — these can be read by anyone with the binary
- to not a store tokens in your URI — these get spidered by search engines
Poor Understanding of HTTP Protocol
An HTTP request can be redirected externally and internally and we need to be able to test and see the redirections. Postman has no way to do this … it can only get the ‘referer’ which can be turned off at the client. But this is built into CURL and the HTTP protocol and can be scripted with as much information as you want.
Few people understand this and as a result of not testing for this properly, alot of people leave open potential security risks in their api frontends/backends/caches/etc.
Closing
A complete reliance on tools rather than on your own understanding leaves us at the mercy of the vendors; Vendors who want a ‘one size fits all’ approach and do not response well to security issues when they are pointed out. Especially when it will cost them money or reveal they are at blame.
