Are REST request headers encrypted by SSL?

StackOverflow https://stackoverflow.com/questions/73536

  •  09-06-2019
  •  | 
  •  

Question

I'm developing a client/server app that will communicate via rest. Some custom request data will be stored in the header of the request. Both the server sending the request and the receiving server have an SSL certificate - will the headers be encrypted, or just the content?

Was it helpful?

Solution

SSL encrypts the entire communications path from the client to the server and back, so yes - the headers will be encrypted.

By the way, if you develop networked applications and care about data security, the least you should do is read a book like Practical Cryptography, by Niels Ferguson and Bruce Schneier, and probably further reading that's more focused on web application security would be a good idea. If I may make an observation - and please, I don't mean that as a personal criticism - your question indicates a fundamental lack of understanding of very basic web security technologies, and that's never a good sign.

Also, it's never a bad idea to confirm that data which is assumed to be encrypted is indeed encrypted. You can use a network analyzer to monitor traffic on the wire and watch out for anything sensitive being sent in the clear. I've used Wireshark to do this before - the results can be surprising, sometimes.

OTHER TIPS

As long as you're communicating in the SSL tunnel, everything sent between the server and the client will be encrypted. The encryption is done before any data is sent or received.

Both headers and content are encrypted.

You appear to think that REST is a distinct protocol.

REST is not a protocol. It is a design style for HTTP-based applications.

So, your a writing an HTTP application. Are the headers encrypted? Yes, if you are using the HTTPS (HTTP over SSL) protocol instead of plain HTTP.

Having certificates on both sides is not directly relevant to your question. SSL certificates are used for authentication. They help in detecting man-in-the-middle attacks such as are possible using DNS cache poisoning.

Having a certificate is not enough, you have to configure the web server to encrypt the connections (that is, to use the certificate) for that domain or virtual host. In addition, I think you would just need a single certificate, responses to requests will still be encrypted.

And yes, HTTP headers are encrypted as well as the data.

SSL..or rather HTTPS (HTTP over SSL) sends all HTTP content over SSL, and as HTTP content and headers are in fact the same thing, this means the headers are encrypted as well. Seeing as GET and POST data is sent via HTTP headers, then it only makes sense then when sending data securely you wouldn't just want the response code or content to be encrypted.

The other answers are correct that headers are indeed encrypted, along with the body, when using SSL. But keep in mind that the URL, which can include query parameters, is never encrypted. So be careful to never put any sensitive information in URL query parameters.

Update: as @blowdart pointed out below, this is wrong. See the comment below.

Not everything is encrypted: the request query string is not encrypted. Believe me, I've seen requests like this:

https://mydomain.com/authenticate?user=username&password=MyStrongPasswordSentInTheClear

Please don't put sensitive data as parameters in the query string.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top