I am currently consuming a REST API which uses HTTP Basic Authentication.
Based on the below picture, isn't the Authorization
header supposed to be encrypted once I am using an Angular app over an HTTPS connection?
HTTPS encrypts all message contents, including the HTTP headers and the request/response data.
The Authorization header is the format Authorization: Basic encodedString , where encodedString is the result of base 64 encoding the OAuth client's values as clientId:clientSecret .
What information does HTTPS not protect? While HTTPS encrypts the entire HTTP request and response, the DNS resolution and connection setup can reveal other information, such as the full domain or subdomain and the originating IP address, as shown above.
The IP header is kept on top of the ESP packet, and much of the header information remains the same, including the source and destination addresses. It encrypts and optionally authenticates the packet, which provides confidentiality and can be used to verify the packet's integrity as well.
With HTTPS, the HTTP requests/responses are sent over an SSL/TLS connection. It ensures that the entire message (including the headers) is encrypted when it is sent over the wire. If anyone intercepts the message, they won't be able to read the actual content.
However, the headers are still visible to both client and server. That's why Chrome DevTools and other debugging tools will show the values as plain text.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With