Some "junior" programmers thought that HTTPS only encrypts the body part of a HTTP request, which means that the URL part will still be in plaintext.
That is wrong. That kind of misunderstanding could lead to wrong design decisions. A wrong decision, such as insisting to use POST request, even though clearly the request doesn't modify state on the backend.
What Parts of HTTP are Encrypted in an HTTPS request?
HTTPS encrypts all parts of HTTP, including the URL!
For example, the URL is https://www.example.com/path1/path2/../pathX?param1=...¶m2=...
A web browser does these steps when sending a GET HTTPS request:
- Extract the host part of the URL, which is
www.example.com, and resolve it to an IP address. -
Access the port 443 of the machine on that IP address, and send this content encrypted:
GET /path1/path2/../pathX?param1=...¶m2=... HTTP/x.x Header1: Value1 Header2: Value2
Berdasarkan apa yang kita lihat di atas, URL path dan parameter-parameternya termasuk bagian yang terenkripsi.