Reputation: 1217
HTTPS - iPhone to API - Is URL secure?
I understood that when securing your site through HTTPS, the URL including the query string is encrypted and only sent once connection is made to the host so this url isnt available to eaves droppers.
However, someone has told us that this is not the case, at least in the case of iPhone to .Net (MVC) API connection and he recommended adding this sensitive information to the HTTP header.
So, can we rely on the query string being encrypted or is it best to change how we're working and add it to the header as suggested?
Upvotes: 2
Views: 327
Answers (1)
Reputation: 17718
Any HTTPS connection works the same way:
- Client connects to port 443 (usually, can be a different port if specified in URL) on the server, establishes a TLS session
- Inside the TLS session, do HTTP: send command ("GET"), query string, HTTP Headers, and get a response
The only thing that's unencrypted is a DNS lookup of the hostname of the server, and then the connection to the server's IP address. Everything else is secure.
NOTE: this assumes you don't have a proxy doing stupid stuff in the middle.
Upvotes: 1
Related Questions
- HTTPS Web Service in iOS App
- How to make iPhoneHTTPServer secure server
- Secure https encryption for iPhone app to webpage
- Is NSURLRequest post to HTTPS URL Secure?
- Secure ASP.NET Web API for iOS Consumtion
- Is NSURLCredential secure over https?
- iPhone development: How to implement HTTPS connection?
- Building RESTful API with MVC for an iPhone app - How to secure it?
- how secure is NSURLConnection over https
- Secure connection between iPhone application and web server?