 | 1 | initial version |
In the Postman GUI you can view the HTTP headers send and received, in the tab labelled "Headers".
When using curl the option -v, --verbose will make it print out the HTTP headers.
If the REST API call is unencrypted (using http) then it will be visible in a network capture. If it is encrypted (using https) then a SSLKEYLOGFILE is needed to decrypt it.
Curl does support SSLKEYLOGFILE, so capturing that traffic can be done the same way as for example a browser (in Wireshark via menu Tools / TLS Keylog Launcher).
There is one exception I know of: when using the Windows native version of curl. Because it is compiled using the Schannel library (curl -V shows this), which does not support SSLKEYLOGFILE.
Also, often the SSLKEYLOGFILE feature can be used server side as well. For example when de application is written in Java, one of the options is jSSLKeyLog .
