HTTP Archive (HAR)¶

Not all APIs have an OpenAPI/Postman/Swagger specification available. The only specification is the code itself. It is still possible to test an API without a specification by recording transactions with the API as an HTTP Archive (.har file) and converting the recording into an OpenAPI specification. While this enables testing of APIs without specifications, there is a trade-off in the accuracy of the converted specification compared with one generated from the code or maintained by hand.

HAR Files may contain sensitive information¶

⚠️ HAR files contain everything that was sent between your client/browser and the target API. This may include Authorization headers, cookies, etc. It is not advisable to persist or convert a .har file unless it has been stripped of sensitive information beforehand.

Converting a .HAR to an OpenAPI 3 specification¶

Info

Requires mapi 2.6.16 or newer

The mapi convert command is used to convert from other formats to an OpenAPI 3 specification.

For example, the following command converts a recording, recording.har into an OpenAPI spec, openapi.yaml:

mapi convert har recording.har --host "127.0.0.1:8080" --base-path "api/v1" --out openapi.yaml

Let"s examine the arguments:

--host "127.0.0.1:8080" The conversion will attempt to infer the URL of your API from the recording. If the recording contains requests to multiple URLs, you can specify the --host option to restrict conversion to requests that are only from the specified host.
--base-path "api/v1" If your API has a common base path this option will strip the common prefix from all request URLs. This can significantly improve the accuracy of the converted spec.
--out opennapi.yaml This will overwrite any existing file, openapi.yaml, with the converted specification. Without this argument, the conversion will be printed to standard out in your terminal.

Info

See all available options with the mapi convert --help command

Upon successful conversion you may inspect the converted file and make any modifications you feel are necessary or start a new run immediately.

Create a .HAR recording with your Browser¶

If you have a web frontend that interacts with your API, you can record an HTTP Archive by navigating your website and running through various use cases to build a recording of API interactions based on which features you access from the frontend.

Most modern browsers support recording your interactions and exporting a HAR file. See https://toolbox.googleapps.com/apps/har_analyzer/ for browser-specific details.

Create a .HAR recording with a proxy¶

A web frontend may not make sufficient requests to your API to generate a useful OpenAPI specification. You may have other tools such as a CLI, automated test suites, or a collection of manual curl invocations that can do this. In this case, you can use a proxy to record all of your traffic to produce a HAR file.

The following tools provide support for this capability:

Info

There are many other tools that can help you record your traffic to export as a HAR file. If you see any that should be included here, please let us know: support@forallsecure.com