Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are REST request headers encrypted by SSL?

Tags:

rest

http

ssl

web-services

I'm developing a client/server app that will communicate via rest. Some custom request data will be stored in the header of the request. Both the server sending the request and the receiving server have an SSL certificate - will the headers be encrypted, or just the content?

like image 792
Adam Hopkinson Avatar asked Sep 16 '08 15:09

Adam Hopkinson

People also ask

Are REST requests encrypted?

REST APIs use HTTP and support Transport Layer Security (TLS) encryption. TLS is a standard that keeps an internet connection private and checks that the data sent between two systems (a server and a server, or a server and a client) is encrypted and unmodified.

Is GET request encrypted with SSL?

The GET request is encrypted when using HTTPS - in fact this is why secured websites need to have a unique IP address - there's no way to get the intended hostname (or virtual directory) from the request until after it's been decrypted.

Does HTTPS encrypt data at rest?

HTTPS enables website encryption by running HTTP over the Transport Layer Security (TLS) protocol. Even though the SSL protocol was replaced 20 years ago by TLS, these certificates are still often referred to as SSL certificates.

Are TCP headers encrypted?

The TCP header and payload are encrypted by TLS. Because encryption is performed in the protocol on one end system and decryption in the protocol of the other end system, the packet payload remains encrypted along the entire path.

2 Answers

SSL encrypts the entire communications path from the client to the server and back, so yes - the headers will be encrypted.

By the way, if you develop networked applications and care about data security, the least you should do is read a book like Practical Cryptography, by Niels Ferguson and Bruce Schneier, and probably further reading that's more focused on web application security would be a good idea. If I may make an observation - and please, I don't mean that as a personal criticism - your question indicates a fundamental lack of understanding of very basic web security technologies, and that's never a good sign.

Also, it's never a bad idea to confirm that data which is assumed to be encrypted is indeed encrypted. You can use a network analyzer to monitor traffic on the wire and watch out for anything sensitive being sent in the clear. I've used Wireshark to do this before - the results can be surprising, sometimes.

like image 94
Ori Pessach Avatar answered Oct 01 '22 22:10

Ori Pessach

As long as you're communicating in the SSL tunnel, everything sent between the server and the client will be encrypted. The encryption is done before any data is sent or received.

like image 35
zigdon Avatar answered Oct 01 '22 21:10

zigdon
Sign in to Comment

Related questions

JAXB Exception: Class not known to this context
Failed to add a service. Service metadata may not be accessible. Make sure your service is running and exposing metadata.`
Web Service vs Web Application
Problem generating Java SOAP web services client with JDK tool wsimport from a WSDL generated by a .NET 2.0 application
What are RESTful web services? [duplicate]
OAuth 2: separating resource server and authorization server
What do I need to create a RESTful API Server in Java?
Restful web service authentication
Difference between WSDL 2.0, WADL & XRD?
Unable to find required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart). Attachment support is disabled
How to read HTTP request headers in a WCF web service?
PKIX path building failed: unable to find valid certification path to requested target
Cannot access local Sinatra server from another computer on same network
SOAP request to WebService with java
What's the simplest way to make a HTTP GET request in Perl?
What are the other heroku environment variables?
Authentication for REST web services
Does ESPN Cricinfo have an API? [closed]
Tool to monitor HTTP, TCP, etc. Web Service traffic [closed]
What does "x-powered by" mean?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!