From 4cb7ed55eff3d05f6c4ecdf48a35aca66844d4a5 Mon Sep 17 00:00:00 2001 From: Sean Sinclair Date: Thu, 12 Oct 2023 12:03:59 +0200 Subject: [PATCH 1/2] Added guidelines for Postman usage. --- docs/guidelines/index.md | 3 ++- docs/guidelines/postman.md | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 docs/guidelines/postman.md diff --git a/docs/guidelines/index.md b/docs/guidelines/index.md index f79b6fb4..ac1f4aa3 100644 --- a/docs/guidelines/index.md +++ b/docs/guidelines/index.md @@ -8,4 +8,5 @@ title: Appsec guidelines This section contains guidelines relevant anyone writing code in Equinor. - [Snyk](/snyk) -- [Scanning for Secrets in code](secret-scanning) \ No newline at end of file +- [Scanning for Secrets in code](secret-scanning) +- [Postman](postman) \ No newline at end of file diff --git a/docs/guidelines/postman.md b/docs/guidelines/postman.md new file mode 100644 index 00000000..25ffff6d --- /dev/null +++ b/docs/guidelines/postman.md @@ -0,0 +1,20 @@ +# Guidelines on using Postman +## Lightweight API Client +- This is the default client before the user is logged in to Postman services. + - The lightweight API client only stores client save data locally. + - Our recommendation is to use the lightweight client unless you need features from the logged-in client. + +## Logged-in client +Logging in with a user account enables most of the features within Postman, this however comes with some security caveats. + +- When using workspaces, collections and environments you potentially expose data. + +**Best practices**: + +- Avoid storing sensitive data anywhere except in environments. +- Storing variable values **only** in the `Current value` field, will ensure that the data is never shared with Postman. +- You should also use environment variables with a secret type to store sensitive data and credentials, including API keys and access tokens. + +### Resources to read more on Postman: +- [Postman Security & Trust Portal](https://security.postman.com/) +- [Security | Postman Trust Center](https://www.postman.com/trust/security/) \ No newline at end of file From 30b024575efdb924cbed0a7600b6c46ade1bad3b Mon Sep 17 00:00:00 2001 From: Sean Sinclair Date: Thu, 12 Oct 2023 12:16:32 +0200 Subject: [PATCH 2/2] Linter revealed some suggested changes. --- docs/guidelines/postman.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/guidelines/postman.md b/docs/guidelines/postman.md index 25ffff6d..bf83efaa 100644 --- a/docs/guidelines/postman.md +++ b/docs/guidelines/postman.md @@ -1,10 +1,13 @@ # Guidelines on using Postman + ## Lightweight API Client + - This is the default client before the user is logged in to Postman services. - - The lightweight API client only stores client save data locally. - - Our recommendation is to use the lightweight client unless you need features from the logged-in client. + - The lightweight API client only stores client save data locally. + - Our recommendation is to use the lightweight client unless you need features from the logged-in client. ## Logged-in client + Logging in with a user account enables most of the features within Postman, this however comes with some security caveats. - When using workspaces, collections and environments you potentially expose data. @@ -15,6 +18,7 @@ Logging in with a user account enables most of the features within Postman, this - Storing variable values **only** in the `Current value` field, will ensure that the data is never shared with Postman. - You should also use environment variables with a secret type to store sensitive data and credentials, including API keys and access tokens. -### Resources to read more on Postman: +### Resources to read more on Postman + - [Postman Security & Trust Portal](https://security.postman.com/) -- [Security | Postman Trust Center](https://www.postman.com/trust/security/) \ No newline at end of file +- [Security | Postman Trust Center](https://www.postman.com/trust/security/)