Configure API Security rules in Postman
Configurable security rules are available on Postman Enterprise plans. If you don't have an Enterprise account, you'll be able to see the API Security page, but you won't be able to turn rules on or off or add new rules.
You can customize the API Security rules that Postman applies to your API definition and requests. Adhering to these API Security rules enables you keep your API secure and consistent.
Configuring rules for API definitions
Postman applies security rules to your API definition and shows rule violations that might impact your definition's security posture. In addition to the rules turned on by default in Postman, you can create and apply your own custom rules.
To access the configuration page for API definitions, do the following:
- Go to the Postman home screen.
- Select API Security from the team information pane.
- Make sure that API Definitions is selected.
Turning configured rules on and off
Only Team Admins with a Developer role can turn configured API Security rules off and on.
Your team can turn individual security rules on or off to meet your development needs:
- To turn a security rule on, select the toggle next to the rule name. You and your team members will see violations for this rule in your API's definition.
- To turn a security rule off, select the toggle next to the rule name. You and your team members won't see violations for this rule in your API's definition.
Adding custom rules
Only Team Admins with a Developer role can create custom API Security rules.
You can create new custom security rules that Postman can use to evaluate your API's definition. Postman provides you with a boilerplate rule to help you start writing your custom security rules. You can also use snippets of commonly-used property-value pairs to help you write your custom security rules.
To add a custom rule, do the following:
-
Go to the Postman home screen, and then select API Security from the team information pane.
-
Select the Definitions tab.
-
Select Create New Rule.
-
Define the rule in the editor. It must adhere to custom rule guidelines.
You can use a curated list of commonly-used property-value pair snippets to write your rules. Snippets are available in the right pane of the editor. Selecting a snippet adds the property-value pair automatically to your rule, helping you get started quickly with writing rules. Once added to your rule, you can edit the snippets to meet your specific requirements.
Postman will prompt you with suggestions as you enter text. Select one to autocomplete your rule.
-
The rule must be valid YAML or JSON. Use the dropdown list to choose the correct syntax.
-
Select Create.
-
Find your new rule under Custom Rules and turn it on.
You can also select Upload file(s) to upload a new rule in valid YAML or JSON format.
You can't create a custom rule that duplicates an existing rule.
Removing custom rules
Only Team Admins with a Developer role can delete a custom security rule.
To delete a custom rule, select the delete icon 
next to its name. If you delete a custom rule, you'll need to add it back into Postman using Create New Rule if you want to use it again.
Configuring rules for requests
Only Team Admins with a Developer role can turn configured API Security rules off and on.
Postman applies security rules configured for your API requests when you send requests to any API using either the Postman web app or the Postman desktop app.
To access the configuration page for requests, do the following:
- Go to the Postman home screen.
- Select API Security from the team information pane.
- Select Requests.
Turning configured rules on and off
Your team can turn individual security rules on or off to meet your development needs:
- To turn a security rule on, select the toggle next to the rule name. You and your team members will see violations for this rule in your API's definition.
- To turn a security rule off, select the toggle next to the rule name. You and your team members won't see violations for this rule in your API's definition.
Last modified: 2022/09/15
