Is everything encrypted when I use curl -X Post with https?

Question

I'm starting to use the bitbucket API with OAuth and use curl to interact with the API. Most of my calls look like

curl -X POST -v  -H "Authorization: Bearer 1U(...)42eQ==" -H "Content-Type: application/json" https://api.bitbucket.org/2.0/repositories/UserFoo/test_create -d '{"scm": "git", "is_private": "true", "fork_policy": "no_public_forks" }

or

curl -X POST -v  -u "UserFoo:TopSecret" https://api.bitbucket.org/2.0/repositories/UserFoo

As I use POST and https I assume that it's secure if I also send my password in the second command. But I just started with curl so I'd be happy if someone with more experience could confirm that.

Answer 1

Yes, as long as you use HTTPS, the connection and the data transferred is encrypted.

Of course, while the communication between you and the server is encrypted, if you are seriously concerned about security, you need to make sure your authentication data is not exposed anywhere on your side (e.g. in the source code).

Moreover, you should prefer the Oauth bearer token over the username/password, as Oauth token are generally designed to have a more restricted access to the account (compared to username/password) and can easily be revoked without affecting other tokens.