Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authorization header is not encrypted over HTTPS

I am currently consuming a REST API which uses HTTP Basic Authentication.

Based on the below picture, isn't the Authorization header supposed to be encrypted once I am using an Angular app over an HTTPS connection?

enter image description here

like image 500
Seloka Avatar asked Jun 20 '18 08:06

Seloka


People also ask

Is Authorization header encrypted in HTTPS?

HTTPS encrypts all message contents, including the HTTP headers and the request/response data.

Is Authorization header encoded?

The Authorization header is the format Authorization: Basic encodedString , where encodedString is the result of base 64 encoding the OAuth client's values as clientId:clientSecret .

What is not encrypted in HTTPS?

What information does HTTPS not protect? While HTTPS encrypts the entire HTTP request and response, the DNS resolution and connection setup can reveal other information, such as the full domain or subdomain and the originating IP address, as shown above.

Are IP headers encrypted?

The IP header is kept on top of the ESP packet, and much of the header information remains the same, including the source and destination addresses. It encrypts and optionally authenticates the packet, which provides confidentiality and can be used to verify the packet's integrity as well.


1 Answers

With HTTPS, the HTTP requests/responses are sent over an SSL/TLS connection. It ensures that the entire message (including the headers) is encrypted when it is sent over the wire. If anyone intercepts the message, they won't be able to read the actual content.

However, the headers are still visible to both client and server. That's why Chrome DevTools and other debugging tools will show the values as plain text.

like image 52
cassiomolin Avatar answered Oct 26 '22 07:10

cassiomolin