Blog

Postman: CORS in the desktop vs web client, pre-request scripts, and collection variables for OAuth tokens

Postman’s native app does not enforce browser CORS—only document results that match real user agents.

Published: 2027-09-26Updated: 2027-09-281 min read

postmanapi-testingcors

Monitors and runners

Scheduled monitors hit APIs from Postman cloud IPs—treat them as server-to-server, not browser CORS.

Collection runs in CI should assert CORS headers on the same paths browsers call.

Switching environments between dev and prod can leave stale Allow-Origin expectations in assertions.

Sync secrets to team workspaces carefully—leaked tokens can bypass CORS in malicious scripts.