[ACCEPTED]-Are REST request headers encrypted by SSL?-ssl

Accepted answer
Score: 64

SSL encrypts the entire communications path 20 from the client to the server and back, so 19 yes - the headers will be encrypted.

By the 18 way, if you develop networked applications 17 and care about data security, the least 16 you should do is read a book like Practical 15 Cryptography, by Niels Ferguson and Bruce 14 Schneier, and probably further reading that's 13 more focused on web application security 12 would be a good idea. If I may make an observation 11 - and please, I don't mean that as a personal 10 criticism - your question indicates a fundamental 9 lack of understanding of very basic web 8 security technologies, and that's never 7 a good sign.

Also, it's never a bad idea 6 to confirm that data which is assumed to 5 be encrypted is indeed encrypted. You can 4 use a network analyzer to monitor traffic 3 on the wire and watch out for anything sensitive 2 being sent in the clear. I've used Wireshark 1 to do this before - the results can be surprising, sometimes.

Score: 6

As long as you're communicating in the SSL 3 tunnel, everything sent between the server 2 and the client will be encrypted. The encryption 1 is done before any data is sent or received.

Score: 5

Both headers and content are encrypted.


Score: 3

You appear to think that REST is a distinct 10 protocol.

REST is not a protocol. It is a 9 design style for HTTP-based applications.

So, your 8 a writing an HTTP application. Are the headers 7 encrypted? Yes, if you are using the HTTPS 6 (HTTP over SSL) protocol instead of plain 5 HTTP.

Having certificates on both sides is 4 not directly relevant to your question. SSL 3 certificates are used for authentication. They 2 help in detecting man-in-the-middle attacks 1 such as are possible using DNS cache poisoning.

Score: 2

Having a certificate is not enough, you 7 have to configure the web server to encrypt 6 the connections (that is, to use the certificate) for 5 that domain or virtual host. In addition, I 4 think you would just need a single certificate, responses 3 to requests will still be encrypted.

And 2 yes, HTTP headers are encrypted as well 1 as the data.

Score: 1

The other answers are correct that headers 7 are indeed encrypted, along with the body, when 6 using SSL. But keep in mind that the URL, which 5 can include query parameters, is never encrypted. So 4 be careful to never put any sensitive information 3 in URL query parameters.

Update: as @blowdart pointed 2 out below, this is wrong. See the comment 1 below.

Score: 0

SSL..or rather HTTPS (HTTP over SSL) sends 7 all HTTP content over SSL, and as HTTP content 6 and headers are in fact the same thing, this 5 means the headers are encrypted as well. Seeing 4 as GET and POST data is sent via HTTP headers, then 3 it only makes sense then when sending data 2 securely you wouldn't just want the response 1 code or content to be encrypted.

More Related questions