https://stackoverflow.com/questions/23143353
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianCan browser view the contents of redirect from server1 or would it be encrypted?
HTTPS provides transport-layer security between a browser and a server. The browser can indeed view anything in the response from either server.
You can test this for yourself. Just open the developer tools in your browser (in IE press F12), navigate to the tab that deals with network connections, and record the network conversation during such a redirect. You can inspect the response headers from the redirect.
If the two servers need to exchange confidential information (meaning the browser should not be able to discover the information), it is best if they talk to each other directly via a secure channel. You could consider adding the confidential data in encrypted form to the response (such that server2 can decrypt it), but any time you expose even the encrypted data to the client unnecessarily, you introduce another attack vector.
