[HN Gopher] Show HN: Restfox - Open source lightweight alternati... ___________________________________________________________________ Show HN: Restfox - Open source lightweight alternative to Postman Last time I posted this it didn't garner much interest. There have been lots of improvements and fixes since the last release. Quick list of features: - Workspaces - Tabs - Nested Folders - Lots of context menus - Response history - Plugins - Runs fully in the browser and runs offline if necessary - Chrome and Firefox extension to bypass CORS restrictions - Desktop builds for all platforms - GraphQL support - Import collections exported from Postman and Insomnia - Simple user friendly interface I built this because I love Insomnia but wanted a portable version that I could run in the browser. If you're tired of Postman's bloated interface and slow startup times, do give this a try. Author : kermire Score : 506 points Date : 2022-10-21 12:06 UTC (10 hours ago) (HTM) web link (restfox.dev) (TXT) w3m dump (restfox.dev) | sphars wrote: | Any chance of the ability to do web sockets? Postman has started | supporting this recently (in beta) but I really don't want to use | Postman. | | Any other suggestions for web socket testing clients also | welcome. | easrng wrote: | hoppscotch can do websockets and socket.io and SSE | kermire wrote: | I definitely intend to add web socket support eventually. | Meanwhile, there's https://socketfox.dev which I made for my | friends. You can use it to test web sockets. | nerdbaggy wrote: | I have used https://github.com/Kong/insomnia for Websocket | stuff | LunicLynx wrote: | I would recommend VS Code with RestClient extension. | locusofself wrote: | my needs are very basic, but I've been using vs code extension | called ThunderClient | Joeri wrote: | Same here, I switched from postman and that combination is | really all I need. | duxup wrote: | Yeah I realized that's all I need after a while. | | Nice to have a file with some calls to make right in the | client. Can take those to an outside app if needed. | [deleted] | [deleted] | jetter wrote: | If you are a minimalist, and are using VS Code, try | https://marketplace.visualstudio.com/items?itemName=humao.re... | which is a pure text syntax to describe API requests, and execute | them right from the editor window. I now have api.http text file | in every API-first project I am building and I love it. | kxrm wrote: | I like this one because it's easy to keep API workflows with my | projects. The scripting ability here is phenomenal. However | only really useful if you code in VS Code. | jiehong wrote: | Jetbrains also provides a similar, albeit slightly | incompatible syntax for the same thing. | | In the end, I think hurl [0] is nicer, because it's open | source and it's a cli tool (and VS code also has a syntax | highlighting plugin for it), making it editor independent. | | [0]: https://github.com/Orange-OpenSource/hurl | SwiftyBug wrote: | Do you have a single api.http file or do you you multiple | {route}.http files? | kxrm wrote: | Not OP but you can store all your routes in one file or | multiple, it's up to you. | | Personally what I do is I script out full API workflows in | different files. So one file might login, then POST to add an | object, then GET that object off an endpoint, then patch that | endpoint, then trigger the GET object again. | | Another workflow might login, upload an image, get that | image, etc. For me the scripting is what makes this | appealing. | | But you could setup one file that documents and tests all | your endpoints similar to Postman. | barbazoo wrote: | Postman is the new Dropbox in terms of useless features for the | sake of growth or whatever. | gregwebs wrote: | I have been trying out https://hurl.dev and so far been really | liking it. Plain text format, everything runs very quickly | locally, it can capture data from previous requests to run | workflows and serve as a testing tool. | ushakov wrote: | If you like hurl, you may also like Step CI, which uses yaml, | generates tests from your OpenAPI spec and is easy to integrate | with CI/CD | | Give it a try: https://stepci.com | | It's free and open-source on GitHub, built by the community! | | Disclaimer: I'm the original author | stonecharioteer wrote: | Nothing to take away from all of this, but please learn cURL. | Postman and all its alternatives are great and all, but they also | hide a lot of things that will hinder your debugging skills. As | an alternative try httpie. Not because CLIs are cool but because | you can see the headers and the raw response more easily. | Developers need to understand what content type is, what response | headers are, how to limit them, how to tweak them. And the | snippets that Postman provides are not always the right way to | send requests in a given language | cercatrova wrote: | I like xh as a faster httpie as well | Sohcahtoa82 wrote: | I'd take Burp Suite over cURL. | | The command line fucking SUCKS for sending anything beyond | basic HTTP requests. | [deleted] | si1entstill wrote: | I switched to "vscode-restclient" about a year ago and never | looked back. It has variables, everything is saved as text, and I | can commit my request suite to source control for collaboration's | sake. | | https://github.com/Huachao/vscode-restclient | mrcaramelpants wrote: | Nice, I wonder how it compares to hoppscotch.io | kermire wrote: | Previous reply: https://news.ycombinator.com/item?id=32671805 | odiroot wrote: | I use https://kreya.app/. It is very lean and the only GUI client | not using Electron, I could find. | wiseowise wrote: | There's also https://github.com/warmuuh/milkman. | Aperocky wrote: | > - Runs fully in the browser and runs offline if necessary | | Couldn't understand why this isn't the default. | | curl is always available and slapping a display layer on top of | something like curl shouldn't need to talk to some backend | server. | ducktective wrote: | >curl is always available | | curl is not installed by default in many distros | | Also, I don't think it's possible to call external processes | from within the browser sandbox | genghizkhan wrote: | > curl is not installed by default in many distros | | Which ones (apart from alpine)? I thought curl was pretty | much as basic as it got and is always there. | flatiron wrote: | I just installed Ubuntu using deboostrap and it did not | come with curl (to my surprise) | Aperocky wrote: | On the top of the concept, not curl itself. | | If curl can run locally, so should all of these tools. | [deleted] | jhoelzel wrote: | I like it but please dont make me right click to do something! | please add a little plus or something like it. | | Otherwise great work! needs a little disclaimer though that you | will not save any of my requests =) | kermire wrote: | Thank you. Will look into preventing the right click | requirement and provide an alternative for that. | | It should be saving your requests automatically. Maybe your | browser is blocking IndexedDB somehow? That's what's used by | the application to store the data locally. Also do make sure | you're not in incognito mode, as changes will be lost once | you're out of it. | iimblack wrote: | Firefox private mode completely blocks indexeddb. | progre wrote: | I'm just now migrating my postman collections to .rest text files | and the REST-client plugin for vscode (that name is both good and | bad at the same time btw, it like marketing a new car and naming | it "Car"). | | Grantet it does not do everything Postman does but I'm pretty | happy so far. Environment variables and secrets stays in a | workspace settings.json and the .rest files can be version | controlled and shared. | | Always bet on text! | twodave wrote: | This. My current hobby project[0] is basically something I | started because I was frustrated with the inability to version | control my tests in Postman alongside my API code. If it can't | be committed to source control, then it's not really your code. | | Now I can run all my tests FAST locally and set up a CI/CD | pipeline in about 15 mins that will pick up and run them as | well. At this point I'm not even sure a UI is necessary (maybe | for the QA folks--maybe just an import from a postman | collection will be enough for them, though). | | [0]: https://github.com/davesheldon/nap | [deleted] | NayamAmarshe wrote: | Why should I use this over https://hoppscotch.io ? | tartieret wrote: | how secure is hoppscotch.io? | naikrovek wrote: | well it runs in your browser but I don't know how it syncs | between browsers. | [deleted] | simjnd wrote: | Hoppscotch [1][2] (previously Postwoman) is also a very nice free | and open-source Postman alternative. | | [1]: https://hoppscotch.io/ | | [2]: https://github.com/hoppscotch/hoppscotch | shubham_sinha wrote: | Postman, Insomnia, Paw seem to fall in similar league. But if you | are running VSCode simply use Thunderclient. | Avlin67 wrote: | it is completly garbage on mobile | [deleted] | philliphaydon wrote: | I switched to insomnia when postman changed their pricing pulling | the rug out from everyone wanting us to pay like $300 more per | month. (Before they back tracked) | | https://insomnia.rest/ | | I actually prefer it. | datavirtue wrote: | I have been using Thunder client in vs code. Love not having | another app. Postman is horrible now. | ako wrote: | Same here, moved from postman to insomnia, now mostly using the | rest plugin for visual studio code. Prefer using regular text | files. | anamexis wrote: | I similarly use restclient.el on Emacs and love it. | | For those unfamiliar with these plugins, they allow you to | simply write text files looking like: GET | https://example.com/posts/5 Accept: application/json | | or POST https://example.com/posts | Content-Type: application/json Authorization: Bearer | abc {"title": "foo", "body": "bar"} | | and simply execute the requests from the buffer. | mdaniel wrote: | There's one built into the JetBrains editors, too. And the | upcoming release is going to allow one to wrap very long | URLs for better visibility and include fun things like | "$random.email" in the request: | https://blog.jetbrains.com/idea/2022/10/intellij- | idea-2022-3... _(EAP releases are always free of charge, if | one wanted to play with it right now; just please report | bugs if you find them, as that 's the reason they're free)_ | raone1 wrote: | Moved from Postman to Insomnia too. Postman was taking too much | time to start and was very unresponsive compared to Insomnia, | on my Work Laptop. | judge2020 wrote: | One thing I love from Insomnia.rest is the ability to import | CURL commands, including an entire list of newline-delimited | CURL commands from the clipboard. This makes it easier to | modify XHR's you pulled from your browser via a right click -> | "copy all as cURL (bash)". | donkeyd wrote: | Yup. Use this all the time, either when I want to automate | something on an undocumented API, or if I want to do some | basic security testing on API's at work. | apocalyptic0n3 wrote: | Postman can do this as well. I've been using this a bunch | recently due to some project limitations and it has made life | so much easier. | | ETA: I just tried the functionality on Insomnia and I have to | admit the UX is nicer. Just paste into the URL bar. Whereas | with Postman it's CMD+O, Click on "Raw Text", click in | textarea, paste, press import. Insomnia looks to have added | OpenAPI support too (it was missing it last time I played | with it) so maybe it's time to re-evaluate Insomnia | aliqot wrote: | Postman's UI is cluttered | apocalyptic0n3 wrote: | I don't disagree. I've just been using it for so long (8 | or 9 years now I think) and it's so ingrained in my | workflows that I haven't bothered to re-evaluate it in | ages. This is probably the kick in the butt I needed. | aliqot wrote: | The world is your oyster, my friend. Restfox is pretty | similar to Insomnia, which is what I use, so I'll | probably give Restfox a shot and see about hosting my own | instance on the LAN. | Version467 wrote: | Same here, switched from postman to insomnia when it became | impossible to ignore how slow, cluttered and generally bloated | it became. Haven't missed it since. Insomnia is pretty great. | I'm sure there's lots of stuff that postman can do that | insomnia can't, but insomnia is still very capable, while being | snappy and not being in the way. Highly recommend it. | alias_neo wrote: | Same, my team and I started using Insomnia too when Postman | pulled that stunt; doesn't matter if they went back on, good | will lost in that way is a bridge burned that can't be rebuilt. | Jenk wrote: | OP states they built this because they wanted a portable | version of Insomnia. | [deleted] | mch82 wrote: | Cool project! A true, open source alternative to Postman will be | valuable. It seems like you've got the major elements in place. | | Unsolicited UX notes... | | I read Hacker News on mobile, so tried the app on mobile and ran | into some challenges. In order to save space, eliminate the right | click, and work on mobile please consider changing: | You can right click here to create a new request or a new folder | | To the following (illustrated using pseudo markdown): | [Create request] or [Create a folder] | | It would also be helpful to replace the GitHub star link with a | link to your README. GitHub star links are problematic because | they require a login that adds friction that prevents people from | getting to your README page. People will login if they decide to | star the project, but they might never get to your GitHub if they | don't have time to login or can't easily login on the device | where they're reading. | Havoc wrote: | There is also hopscotch - unsure about licensing but it is self | hostable | and0 wrote: | I dug into hoppscotch since my org balked at Postman | enterprise costs, but was disappointed. It is open source and | can run locally, but it still only talks to their cloud that | stores your collections as a logged-in user (or session | storage if you're offline). It's definitely a fledgeling | commercial project, not a true open-source alternative, | though you could fork it easily enough probably. | | I had been hoping to keep all of our APIs centralized in git | and run the local (or cloud for our ENVs) from that repo, but | it doesn't read any query/API/collection defs from file. | | (Not to come off as demanding of OSS, it's a wonderful | product, but unfortunately you have to dig deep to figure out | the limitations.) | | EDIT: Also, what I'd go with now is Thunder client for VS | code leveraging API defs stored within each repo + the | localized vars such as auth info. | Havoc wrote: | I tried Thunder too but their "please log in" popup is | quite annoying. Wasn't aware it can leverage repo contents | though - that seems like a killer feature. | | > fledgeling commercial project, not a true open-source | alternative | | Yeah most of the self-host stuff tends to be like that | unfortunately. Understandable but not ideal. | kermire wrote: | Thank you. The UI is not currently built with mobile in mind. I | have been thinking of implementing a responsive layout but | haven't had the time to do it. | | I did not know about the GitHub star login thing. Will try to | rectify it when I can. Thanks for all your UX notes. | djbusby wrote: | Github Star link looks fixed. | Zamicol wrote: | The offline part is critical for me. The only other thing I would | prefer is an application that doesn't use Electron. | [deleted] | steve_john wrote: | jcuenod wrote: | InvalidStateError: A mutation operation was attempted on a | database that did not allow mutations. | | [Edit]: I'm on Firefox (with ublock origin). I see others having | issues too. | kermire wrote: | Firefox with ublock origin should not cause any issues. The | issue might be caused by Firefox's private window | implementation which does not allow IndexedDB operations, which | is what Restfox uses for storing the data of the application | locally. | npalli wrote: | Tried to just GET www.google.com; says error and suggests | bypassing with some plugins. Don't think I want to continue | further. | jcuenod wrote: | Is there a way to get it to ignore the cache? | ushakov wrote: | If you want something like Restfox but as a CLI, that tests your | APIs automatically, give Step CI a try | | https://stepci.com | | It's free and open-source on GitHub! | | Disclaimer: I'm the author | roamerz wrote: | Nice work! I wasn't familiar with insomnia so when I read your | first line there I read it as "I love not being able to sleep | because it gave me time to code this project..." | kermire wrote: | Haha thanks. Didn't think it could be interpreted like that :D | imagineerschool wrote: | Cool! | alfor wrote: | I don't understand, what is it, what does it do? | alfor wrote: | Ok, it's a tool to test rest api. | jokab wrote: | Good for you. Now did you check what postman does? | [deleted] | projproj wrote: | Here's an alternative I recently came across. In Firefox on the | network tab of the dev console, right click on an XHR request. | You'll have two relevant options: "Resend" and "Edit and Resend". | Edit and Resend doesn't give you all the features of Postman, but | it is useful and a lot easier. I have spent a lot of time in | Postman just putting in all the headers and POST body to set up | the API call. With this method in Firefox, all parameters are | already set because it's an exact copy of the request you already | sent. You can change params or just hit send when you're ready to | retest something you're doing on the backend. | easrng wrote: | They actually removed the plain Resend option and renamed Edit | and Resend to just Resend. | throwaway17474 wrote: | I am very happy to save you a lot of time for copy&pasting | requests to Postman. Since Postman can import curl commands, | just right-click on a command in Firefox, Copy as -> Curl, | click on the Import in Postman, import as text, paste curl, | mission accomplished. Hope it helps. | [deleted] | tgv wrote: | Nice. If you want to implement another feature: see the error | response. My server returned 428, but I couldn't see the contents | nor header, only a generic "preview". | kermire wrote: | That's very odd. Will look into this. | tgv wrote: | And the Cookie header isn't sent? (using it on Firefox | 106.1). | kermire wrote: | I'm using the fetch API for making requests and fetch sadly | forbids the Cookie header from getting passed. Will be | looking into how I can bypass this. | inso1 wrote: | Hi I am one of the contributors to Insomnia. You guys are all | invited to join our Slack channel and give us suggestions and | feedback! https://chat.insomnia.rest/ | [deleted] | gquiniou wrote: | A nice feature would be import and export from/to Curl commands. | When collaborating with clients or even colleagues it's easier to | send curl commands. | kermire wrote: | Definitely something I'll be implementing soon. Importing and | exporting curl commands is a good feature to have. Thanks for | the feature suggestion. | mxuribe wrote: | I wonder if the chromium project has these functions all | ready for you to grab from their dev tools? | kcartlidge wrote: | > _Last time I posted this it didn 't garner much interest._ | | Looks good. I use Postman daily and it sucks, so always open to | alternatives. | | I don't recall what it looked like the last time you posted, but | I wonder if part of the low interest is because upon arrival it | doesn't instantly jump out to the visitor that this is something | you can host/run locally. It's very easy to miss the Github links | top right. And if you don't realise that, then what you see is a | third party website expecting you to send _your_ development | requests through _their_ UI, which is off-putting. | | As I say, I don't remember, but that _may_ be why I skipped it | last time. I 'll pay more attention this time! | | _(Edit: split paragraphs for clarity)_ | HatchedLake721 wrote: | Switched away from Postman to a native Mac app and my RAM | couldn't be happier (https://paw.cloud) | codatory wrote: | Now that they're maintaining versions based on web technologies | and are now just a cog in the VC Funded RapidAPI machine, are | you concerned that makes the writing on the wall for the native | Mac app? | shmoogy wrote: | Seems pretty nice but $50 is a little high - is it really worth | the premium? | Fnoord wrote: | I bought it during a BF deal. Perhaps wait a month? | robertlagrant wrote: | $50 doesn't look high to me, assuming it does everything it | says it does really well. Just designing an API in a nice UI | is worth more than that! | | (No affiliation.) | steve_adams_86 wrote: | It isn't been, in my experience. If my team used it | collaboratively it might be. | | It's a solid app and worth it if you'll use it a lot. I | simply didn't because piling things in there isn't | particularly valuable if it isn't readily available to the | people I work with. | s_dev wrote: | No -- I used and paid for PAW for a while. I gave up on all | MacPaw products once I realized their sales staff contacted | me after I asked them not to -- they immediately lost me as | customer. They just wanted to 'help' me get on to a more | expensive plan that was for Teams. | | There are plenty of great alternatives: HTTPie is one I like. | Haven't found a good alternative to CleanMyMac yet though. | samschooler wrote: | Unless I'm mistaken, Paw isn't owned by MacPaw? It's an | unrealted product with a one time purchase price. | s_dev wrote: | There is some financial relationship there. You get PAW | with a SetApp bundle that MacPaw sell as a subscription. | avree wrote: | There's zero 'relationship'. SetApp bundles popular Mac | software, of which Paw is one. | s_dev wrote: | >There's zero 'relationship'. | | It's a reseller. They probably even charge a commission | so there is a business/financial relationship. | simongr3dal wrote: | You currently get 239 apps with the setapp bundle, I | don't think there's anything special about that | relationship. | girvo wrote: | I got $50 of value out of my purchase, but that was quite a | few years ago. Dunno if I'd buy it today when there are other | alternatives | tecleandor wrote: | Postman is $15, it just takes a bit more than 3 months to | surpass the price :P | manyxcxi wrote: | I've been using it for a long time and I'd happily pay $100 | for it. | | It can consume swagger/openapi docs and generate calls. It | can generate code snippets and cURL requests. You can extract | values from one response body to use as a variable in another | request, the built in features go on and on- and there's a | decent extension ecosystem/write your own. | | Most importantly, it just works, and it works well and | quickly, with pretty much any auth scheme I've ever had to | deal with. | | I've only got really a couple of nits with the stand-alone | version. | | I still can't figure out how to make it "use the same auth | scheme" for every single request globally. Each request | requires the auth config, but this is solved by just copying | an existing request and starting from that. This could very | well be my lack of knowledge, though I feel like I know the | tool well. | | The .paw file is binary and doesn't do well checked into | source control if you've got more than one person using it. | | The Teams version, which requires a monthly sub kinda/sorta | mimics a git style branch strategy for merging different | members changes and handles the team problem pretty well. | | All in all though, it is absolutely and BY FAR the best | request tool I've ever used. A great combination of simple | just get out of the way and advanced automation strategies. I | use it every day. | | EDIT TO ADD: | | I forgot to mention their license is still a lifetime | license. I paid them $50, probably 6 years ago now, and have | never been forced to pay them another dime. I'd pay per major | version or do the IntelliJ perpetual fallback if it came to | it, but I've never once been bait and switched (looking at | you Tower2). | chewmieser wrote: | It's quite nice. I think it's worth it but you could always | do the same for free/cheaper with other tools out there | and/or curl. | | Depends on how much you value a tool like this. And it's a | one-time purchase for life, not a subscription. | [deleted] | v3ss0n wrote: | Importing of postman is very important feature, I will take a | look definitely. | [deleted] | user3939382 wrote: | My biggest gripe with Postman is the horrible theming. Except for | light and dark, 0 control over the appearance of this app that I | have to look at for hours almost every day. | datavirtue wrote: | You don't have to put up with postman. There are better | alternatives. | user3939382 wrote: | > You don't have to put up with postman | | Unless you work on a team that's standardized around it as a | collaboration tool. | topspin wrote: | My biggest gripe is that its design leads to accumulating long | list of slightly different "tests" whose purpose is soon | forgotten. I suppose there are better practices that can stop | that, but the path of least resistance is "copy, edit, run," | and so a huge pile of meaningless garbage accumulates. | | Something is missing. | _jayhack_ wrote: | For anyone looking for an aesthetic Postman alternative, I can't | recommend https://insomnia.rest/ enough | ecuaflo wrote: | Insomnia is open source too | [deleted] | schipplock wrote: | In the past I was using SoapUI. I liked it. Just because you guys | were mentioning Postman alternatives :). | arunsivadasan wrote: | There was previously Postwoman which I believe is now hoppscotch | https://github.com/f0rb1d/postwoman | | https://github.com/hoppscotch/hoppscotch | [deleted] | snehesht wrote: | Noticed a small bug, I can't paste into the URL bar. | Nihilartikel wrote: | My version of Postman is to open a Jupyter notebook and | | >> import requests | jdthedisciple wrote: | Entering "news.ycombinator.com" and pressing send gives me an | error. | Sohcahtoa82 wrote: | I'd expect someone from HN to give more descriptive reports | than "gives me an error". | Trufa wrote: | In the error message the solution is present, install the | addon: | | https://chrome.google.com/webstore/detail/restfox-cors-helpe... | | There's also a FF one. | Snacklive wrote: | Page is not working for me. I'm in Firefox | neogodless wrote: | Windows 10, Firefox 106.0.1, uBlock, multi-account containers, | facebook container, bitwarden, DDG privacy, consent-o-matic, | font contrast, dark reader | | Works fine for me. | | Opened a request to https://api.publicapis.org/entries and it | fetched results. | duiker101 wrote: | My favorite testing HTTP Client is still just the IntelliJ built- | in, pure text. You know exactly what you send without having to | navigate menus and whatnot. In the end, 99% of HTTP requests are | just that, text. | [deleted] | jicea wrote: | I can't resist to propose my own solution: a cli tool, plain | text based, curl, and Rust https://hurl.dev | | The market is overcrowded by good solutions, best wishes to | other tools! | nkantar wrote: | Thank you for Hurl--I started using it a few months ago and | it's been a delight! | duiker101 wrote: | This looks quite good! | hbagdi wrote: | I have been working on a CLI first workflow that doesn't | require IntelliJ: https://hit.yolo42.com/. I spend my days in | the terminal and like curl and httpie for most parts. Hit is to | fill in the gaps rather than redo the whole experience of | sending HTTP requests. | | I've a very early prototype. If you get a chance to try it out, | please do and share your feedback. | philliphaydon wrote: | Can you chain requests together? Like if a request requires | auth it will invoke login then take the token for use in the | next request. | onetom wrote: | Well... that's called programming, no? :) | kozziollek wrote: | I haven't used it myself, but there is an option to parse | responses with JavaScript and set variables. | GET https://httpbin.org/get > {% | client.global.set("my_cookie", | response.headers.valuesOf("Set-Cookie")[0]); %} | | https://www.jetbrains.com/help/idea/exploring-http- | syntax.ht... | philliphaydon wrote: | Interesting. I have 2 endpoints (login and get settings) I | use for testing in a desktop app and sometimes firing up | insomnia for that project is a hassle. But rider has that | rest client too so maybe I'll try it for this one thing. | pletnes wrote: | And it fits nicely into git! | gempir wrote: | This is what I wish all http clients could adopt. | | Use plain text files (IntelliJ already introduced .http files, | which work great) Sadly it will never work because that would | break 90% of the incentives to pay, which his having a sync | system. Because then I could simply commit my http requests and | git would be my sync server. | | Personally I don't like the IntelliJ Client, the UI is kind of | ugly and requires a lot of actions each time I want to send and | review a response. Insomnia is way better in that regard. | | Good context might me my issue comment on Hoppscotch: | https://github.com/hoppscotch/hoppscotch/issues/870#issuecom... | hbagdi wrote: | This is what I have been working on: https://hit.yolo42.com/. | | Early days but would love some feedback if you get a chance | to try it out. | gempir wrote: | The idea is good, but I want a GUI. | edpichler wrote: | Be careful with Postman. It seems they upload all your secrets to | their servers. We stopped to use it a time ago. I don't know if | they changed in this regard. | thieving_magpie wrote: | Does anyone have a source for this? I need to present this to | our team if it's true. | _boffin_ wrote: | They sync everything. If you store stuff in collections, | requests, or environments, it's uploaded. | | Presuming it's end-to-end, but don't know about at rest | encryption | meesles wrote: | How else would they sync all of the shared stuff in your | workspace? I'm more interested if they properly encrypt my data | in transit and at rest and whether Postman employees have free | access to our secrets. | zzbzq wrote: | I got a bulletin from our security team saying Postman stores | it all in plain text on their servers. Unbelievable if true. | Haven't used it since. They have all your passwords. | pletnes wrote: | I had this gut feeling, but no way to check. The handling | of secrets is not explicitly states, i.e probably bad. | | I like the looks of httpie's new desktop client but no idea | if their secret handling is any better. | Cederfjard wrote: | This is from their website: | https://www.postman.com/trust/security/ | | > Depending upon its sensitivity classification, customer | data is AES-256-GCM encrypted at the server-side before | storage. Postman environment variables are covered in | this classification and we strongly encourage you to use | them to store your authentication keys and passwords. We | have also added sessions in the 6.2 release onwards of | Postman. We recommend using session variables for any | data that you do not want to be synced to Postman's | servers. | aliqot wrote: | > Depending upon its sensitivity classification | | What does this mean? | natebc wrote: | > Postman environment variables are covered in this | classification and we strongly encourage you to use them | to store your authentication keys and passwords. | | It reads to me that they encrypt Postman environment | variables and encourage you to use those. | | Not sure what else is "Customer data" in that regard but | it seems they consider at least that bit worthy of | encryption. | jkbr wrote: | Here's how we do it: | https://httpie.io/blog/changelog-0017#data-security ___________________________________________________________________ (page generated 2022-10-21 23:00 UTC)