Misunderstanding regarding URL on HTTPS

2019-01-22 01:17:00+00:00

Some "junior" programmers thought that HTTPS only encrypts the body part of a HTTP request, which means that the URL part will still be in plaintext.

That is wrong. That kind of misunderstanding could lead to wrong design decisions. A wrong decision, such as insisting to use POST request, even though clearly the request doesn't modify state on the backend.

What Parts of HTTP are Encrypted in an HTTPS request?

HTTPS encrypts all parts of HTTP, including the URL!

For example, the URL is https://www.example.com/path1/path2/../pathX?param1=...&param2=...

A web browser does these steps when sending a GET HTTPS request:

Extract the host part of the URL, which is www.example.com, and resolve it to an IP address.

Access the port 443 of the machine on that IP address, and send this content encrypted:

            GET /path1/path2/../pathX?param1=...&param2=... HTTP/x.x
            Header1: Value1
            Header2: Value2

As we can see above, the URL path and its parameters are encrypted.