Skip to content

1 · Capturing a HAR file

A HAR (HTTP Archive) is a JSON file that records every HTTP request and response a browser made during a session — URLs, methods, headers, cookies, request bodies, and response bodies. It's the raw material for the Application and Custom Data Type you'll build.

The flow is: capture in the browser → import into Postman → analyze visually.

Why these tools

Capture: the browser's built-in DevTools

The best free way to capture is the Network panel in your browser's developer tools. It's already installed, it records the real traffic the browser sends (exact body encoding, auth headers and all), and it exports a standard HAR. A HAR recorded this way carries "creator": { "name": "WebInspector" } at the top of the file (that's Chrome DevTools). Works identically in Chrome, Edge, Brave; Firefox is equivalent.

Once you have the .har, import it into Postman as a collection. This turns the capture into a browsable list of requests you can click through, with JSON/GraphQL bodies pretty-printed and searchable — far easier to read than raw HAR text. You can also re-fire the one request you care about to confirm you found the right one. This is the recommended analysis path and the focus of the next chapter.

Postman doesn't capture browser traffic out of the box (it's a request client, not a proxy) — so capture in DevTools, then analyze in Postman.

Analyze: the browser DevTools (alternative)

You don't have to leave the browser. Chrome and Firefox DevTools can import a HAR back into the Network panel and let you inspect it exactly as if you'd just captured it. Handy when the HAR came from someone else or you don't have Postman open — it's the second option.

Tool Capture browser traffic Read/parse Replay a request Best for
Postman ❌ (client, not proxy) ✅ visual Analyzing — import as a collection
Browser DevTools ✅ visual re-send only Capturing, and analyzing via Import HAR

Avoid online HAR viewers

Public "HAR analyzer" websites are convenient, but a HAR is full of live session tokens and customer PII. Keep analysis local — Postman or your own browser's DevTools. See Sanitizing.

How to record a clean capture (Chrome / Edge)

  1. Open the site where the customer's action happens. Sign in as they would.
  2. Open DevTools: F12 (or right-click → Inspect) → Network tab.
  3. Turn on Preserve log (so navigations don't clear the capture) and confirm the recording dot is red.
  4. Click 🚫 Clear to start from an empty list — the most important step. A clean list makes finding the right request trivial.
  5. Perform the single action you want to protect, and only that action — e.g. click "Apply discount", submit the form, send the AI prompt. Fewer requests = easier analysis.
  6. Right-click anywhere in the request list → Save all as HAR with content.
  7. "with content" matters — it includes response bodies, which you need for any response-side policy.

Firefox is the same: DevTools → Network → gear/settings → Persist Logs → reproduce → right-click a request → Save All As HAR.

Filter while you record

The DevTools filter bar accepts method:POST, a hostname, or the Fetch/XHR toggle. Filtering to Fetch/XHR alone removes images, fonts, and CSS — usually 90% of the noise — because the API calls you care about are almost always XHR/fetch.

Import into Postman

  1. Postman → File → Import (or the Import button).
  2. Drag in the .har, or browse to it.
  3. Postman creates a collection named after the HAR, with one request per HAR entry, grouped and ready to click through.

From here, jump to Analyzing the HAR in Postman →.

What a good capture looks like

  • It contains the target request (and its response, if response-side).
  • It's small enough to scan — ideally a few dozen entries, not thousands.
  • The target request's body is present (request.postData.text for sends, response.content.text for receives).

If you reproduced one action with a clean log, you're done. If the HAR has 800 entries, you probably forgot to Clear first or didn't filter to Fetch/XHR — recapture; it'll save you time downstream.

Sanitize before sharing

A HAR is as sensitive as a password file. It typically contains:

  • Authorization / bearer tokens and API keys (headers)
  • Session cookies (Cookie / Set-Cookie)
  • Real customer PII in request and response bodies

Before attaching a HAR to a ticket, sending it to a customer, or committing it anywhere:

  • Prefer the smallest possible capture — fewer requests = less to leak. Recording just the single target action is the easiest way to keep secrets out in the first place.
  • Strip secrets if the HAR must leave your machine. A HAR is plain JSON, so you can open it in any text editor and find/replace the sensitive values — at minimum the Authorization, Cookie, and Set-Cookie header values, plus any PII in bodies you don't need.
  • Use Chrome's redacted export if available: newer Chrome versions offer Save all as HAR (sanitized) in the Network panel, which strips cookies and auth headers automatically.
  • Treat any saved captures as internal only — they are real recordings from production environments, kept for building policies, not for distribution.

Next: Analyzing the HAR in Postman →