By Dan Herbert

2008-10-09 15:00:35 8 Comments

When sending data over HTTPS, I know the content is encrypted, however I hear mixed answers about whether the headers are encrypted, or how much of the header is encrypted.

How much of HTTPS headers are encrypted?

Including GET/POST request URLs, Cookies, etc.


@Andrew Jay 2015-07-22 13:48:57

New answer to old question, sorry. I thought I'd add my $.02

The OP asked if the headers were encrypted.

They are: in transit.

They are NOT: when not in transit.

So, your browser's URL (and title, in some cases) can display the querystring (which usually contain the most sensitive details) and some details in the header; the browser knows some header information (content type, unicode, etc); and browser history, password management, favorites/bookmarks, and cached pages will all contain the querystring. Server logs on the remote end can also contain querystring as well as some content details.

Also, the URL isn't always secure: the domain, protocol, and port are visible - otherwise routers don't know where to send your requests.

Also, if you've got an HTTP proxy, the proxy server knows the address, usually they don't know the full querystring.

So if the data is moving, it's generally protected. If it's not in transit, it's not encrypted.

Not to nit pick, but data at the end is also decrypted, and can be parsed, read, saved, forwarded, or discarded at will. And, malware at either end can take snapshots of data entering (or exiting) the SSL protocol - such as (bad) Javascript inside a page inside HTTPS which can surreptitiously make http (or https) calls to logging websites (since access to local harddrive is often restricted and not useful).

Also, cookies are not encrypted under the HTTPS protocol, either. Developers wanting to store sensitive data in cookies (or anywhere else for that matter) need to use their own encryption mechanism.

As to cache, most modern browsers won't cache HTTPS pages, but that fact is not defined by the HTTPS protocol, it is entirely dependent on the developer of a browser to be sure not to cache pages received through HTTPS.

So if you're worried about packet sniffing, you're probably okay. But if you're worried about malware or someone poking through your history, bookmarks, cookies, or cache, you are not out of the water yet.

@Melvyn 2016-12-22 16:45:16

I know the good answers are on top, but this once again inserts faulty information. Domain is not visible, unless SNI is used. Protocol, other than IP and TCP are not visible. You cannot tell if I'm using HTTP 1.1, SPDY or HTTP2. What is visible on the two endpoints is irrelevant, as the goal of encryption is not to make things invisible but to make things only visible to trusted parties. So the endpoints are implied in the question and about 2/3 of your answer can be removed. The proxy information should be: if you use an HTTPS proxy, then it does have access to everything.

@DylanYoung 2017-11-30 17:14:46

Your link says specifically that cookies are encrypted: "The visitor’s connection is encrypted, obscuring URLs, cookies, and other sensitive metadata."

@Andrew Jay 2017-12-01 15:44:25

Yes, that is correct. Cookies are encrypted while in transit, but once they reach the browser, they are not encrypted by the SSL protocol. It is possible for a developer to encrypt the cookie data, but that is out of scope for SSL.

@curiousguy 2018-07-18 14:33:51

@DylanYoung SSL = secure socket layer; TLS = transport layer security. Encryption is at the socket (connection) level or to put it another way at the transport level not while stored in the browser per domain database.

@curiousguy 2018-07-18 14:43:17

@Wigwam Security sensitive HTTP cookies are almost always opaque references (usually it's a cryptographically strong random number) to a record in the server database of authenticated sessions. As such encrypting this meaningless identifier would mostly bring additional complexity.

@DylanYoung 2018-07-19 14:59:56

curiousguy: yes I know. The answer says they are not encrypted by https (which implies ssl). They are. They aren't encrypted in the browser. Nor are the headers or any content (or if they are, they see trivially decrypted).

@Greg 2008-10-09 15:04:51

The whole lot is encrypted - all the headers. That's why SSL on vhosts doesn't work too well - you need a dedicated IP address because the Host header is encrypted.

The Server Name Identification (SNI) standard means that the hostname may not be encrypted if you're using TLS. Also, whether you're using SNI or not, the TCP and IP headers are never encrypted. (If they were, your packets would not be routable.)

@Pacerier 2014-12-12 03:31:43

@Greg, Since the vhost gateway is authorized, Couldn't the gateway unencrypt them, observe the Host header, then determine which host to send the packets to?

@Teddy 2015-11-16 07:54:34

Afaik URL itself is not encrypted.

@Dmitry Polushkin 2017-02-02 15:43:20

@Teddu what do you mean by "URL itself is not encrypted.". It's encrypted, as it's part of the header.

@Bochen Lin 2018-01-09 21:57:09

If Fiddler is used to capture https communication, it still display some headers, why? Especially, when the internet connection is via a proxy which requires authentication, it displays the Proxy-Authorization header when the request is resent after it gets 407 at the first send.

@Nux 2019-12-05 00:52:37

@Bochen same way Pegasus does. If you are on either end of the HTTPS tunnel then you can see everything. Same way I can see anything in browser devtools.

@keypress 2016-02-18 13:23:24

Yes, headers are encrypted. It's written here.

Everything in the HTTPS message is encrypted, including the headers, and the request/response load.

@Aran Mulholland 2017-10-10 13:53:29

Wikipedia is not the spec, which is what you should be quoting.

@xxiao 2015-11-21 05:25:06

the URL is also encrypted, you really only have the IP, Port and if SNI, the host name that are unencrypted.

@curiousguy 2018-07-18 14:45:42

Even if SNI is not supported, an intermediary capable of intercepting HTTP connections will often be capable of monitoring DNS questions too (most interception is done near the client, like on a pirated user router). So they will be able to see the DNS names.

@AviD 2008-10-09 22:11:41

HTTP version 1.1 added a special HTTP method, CONNECT - intended to create the SSL tunnel, including the necessary protocol handshake and cryptographic setup.
The regular requests thereafter all get sent wrapped in the SSL tunnel, headers and body inclusive.

@curiousguy 2018-07-18 14:49:04

When is CONNECT used to create the SSL tunnel?

@avp 2020-02-15 00:37:29

@CMS 2008-10-09 15:10:16

HTTPS (HTTP over SSL) sends all HTTP content over a SSL tunel, so HTTP content and headers are encrypted as well.

@mdb 2008-10-09 15:05:26

The headers are entirely encrypted. The only information going over the network 'in the clear' is related to the SSL setup and D/H key exchange. This exchange is carefully designed not to yield any useful information to eavesdroppers, and once it has taken place, all data is encrypted.

@Dori 2016-05-06 20:25:46

Not all SSL setup involves DH

@poolie 2016-11-26 22:17:09

To be a little pedantic: The IP address of the client and server, the server's hostname, and signals about their SSL implementations are useful to eavesdroppers and are visible.

@blowdart 2008-10-09 15:05:10

With SSL the encryption is at the transport level, so it takes place before a request is sent.

So everything in the request is encrypted.

@Prateek Joshi 2017-02-10 09:26:55

Since SSL takes place in transport layer and assignment of destination address in packets (in header) takes place in network layer (which is below transport ), then how the headers are encrypted?

@Aquarelle 2017-04-26 03:53:21

@PrateekJoshi Because HTTP headers live on the application layer and so are, by default, encrypted due to a lower/ancestor layer being encrypted.

Related Questions

Sponsored Content

12 Answered Questions

[SOLVED] How to make an HTTP POST web request

14 Answered Questions

[SOLVED] Are HTTPS URLs encrypted?

  • 2009-01-31 21:15:34
  • Daniel Kivatinos
  • 287293 View
  • 1038 Score
  • 14 Answer
  • Tags:   ssl https httprequest

32 Answered Questions

[SOLVED] Android 8: Cleartext HTTP traffic not permitted

  • 2017-08-29 13:48:06
  • david.s
  • 690771 View
  • 1103 Score
  • 32 Answer
  • Tags:   android http https

8 Answered Questions

[SOLVED] Getting only response header from HTTP POST using curl

  • 2012-04-08 03:12:04
  • Jonathan Allard
  • 565407 View
  • 576 Score
  • 8 Answer
  • Tags:   post curl http-headers

8 Answered Questions

[SOLVED] How are parameters sent in an HTTP POST request?

14 Answered Questions

8 Answered Questions

[SOLVED] How to send a GET request from PHP?

  • 2009-06-06 05:30:58
  • Veera
  • 534075 View
  • 281 Score
  • 8 Answer
  • Tags:   php http get

37 Answered Questions

[SOLVED] AngularJs $ does not send data

26 Answered Questions

Sponsored Content