Does android encrypt https headers sent over HttpConnection Post or libraries like Retrofit?

We have a REST web service with SSL enabled (HTTPS). We'd like to build a client that uses REST libraries like Retrofit to make request to the said service. The authentication we have is basic auth initially then followed by a token after.

Does android automatically encrypt the https headers ie. Authorization Code (Basic Auth)?

I'm asking because when using PostMan (client), I am able to see the Authorization in the HTTP Header. Not sure if I'm checking this correctly though.

Appreciate any feedback.

1 answer

  • answered 2019-04-15 06:32 Steffen Ullrich

    Does android automatically encrypt the https headers ie. Authorization Code (Basic Auth)?

    There are no HTTPS headers. There are HTTP headers only. HTTPS is HTTP inside a TLS connection, which also means that all HTTP headers (including Authorization) are encrypted as TLS application payload.

    Of course these headers are available in the client and server before encryption and after decryption and that's why you can see the plain headers there. TLS cares only about protecting the transport of the data between client and server against sniffing and modification, but does not protect the data at the endpoints of the communication.