[ACCEPTED]-Are REST request headers encrypted by SSL?-ssl
SSL encrypts the entire communications path 20 from the client to the server and back, so 19 yes - the headers will be encrypted.
By the 18 way, if you develop networked applications 17 and care about data security, the least 16 you should do is read a book like Practical 15 Cryptography, by Niels Ferguson and Bruce 14 Schneier, and probably further reading that's 13 more focused on web application security 12 would be a good idea. If I may make an observation 11 - and please, I don't mean that as a personal 10 criticism - your question indicates a fundamental 9 lack of understanding of very basic web 8 security technologies, and that's never 7 a good sign.
Also, it's never a bad idea 6 to confirm that data which is assumed to 5 be encrypted is indeed encrypted. You can 4 use a network analyzer to monitor traffic 3 on the wire and watch out for anything sensitive 2 being sent in the clear. I've used Wireshark 1 to do this before - the results can be surprising, sometimes.
As long as you're communicating in the SSL 3 tunnel, everything sent between the server 2 and the client will be encrypted. The encryption 1 is done before any data is sent or received.
Both headers and content are encrypted.
0
You appear to think that REST is a distinct 10 protocol.
REST is not a protocol. It is a 9 design style for HTTP-based applications.
So, your 8 a writing an HTTP application. Are the headers 7 encrypted? Yes, if you are using the HTTPS 6 (HTTP over SSL) protocol instead of plain 5 HTTP.
Having certificates on both sides is 4 not directly relevant to your question. SSL 3 certificates are used for authentication. They 2 help in detecting man-in-the-middle attacks 1 such as are possible using DNS cache poisoning.
Having a certificate is not enough, you 7 have to configure the web server to encrypt 6 the connections (that is, to use the certificate) for 5 that domain or virtual host. In addition, I 4 think you would just need a single certificate, responses 3 to requests will still be encrypted.
And 2 yes, HTTP headers are encrypted as well 1 as the data.
The other answers are correct that headers 7 are indeed encrypted, along with the body, when 6 using SSL. But keep in mind that the URL, which 5 can include query parameters, is never encrypted. So 4 be careful to never put any sensitive information 3 in URL query parameters.
Update: as @blowdart pointed 2 out below, this is wrong. See the comment 1 below.
SSL..or rather HTTPS (HTTP over SSL) sends 7 all HTTP content over SSL, and as HTTP content 6 and headers are in fact the same thing, this 5 means the headers are encrypted as well. Seeing 4 as GET and POST data is sent via HTTP headers, then 3 it only makes sense then when sending data 2 securely you wouldn't just want the response 1 code or content to be encrypted.
More Related questions
We use cookies to improve the performance of the site. By staying on our site, you agree to the terms of use of cookies.