Java servlet: do parameters sent with doGet() get encoded using HTTPS?

Question

If I have a java servlet using doGet() such as:

public class MyServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
...
param1 = request.getParameter("param1");
...

and it gets accessed by calling https://www.mydomain.com/MyServlet?param1=hello.

Is param1 secure since I'm using https (that is, param1 is not visible to anyone but the user accessing the link)? Or, is it visible because doGet() places param1 in the HTML header? If the latter, what's equivalent doPost() look like here?

possible duplicate of [Are HTTPS headers encrypted?](http://stackoverflow.com/questions/187655/are-https-headers-encrypted) — ControlAltDel, Oct 27 '14 at 18:51
it depends on if the link originated in the https site or not — developerwjk, Oct 27 '14 at 18:53

score 2 · Accepted Answer · answered Oct 27 '14 at 18:56

2

If the link originates in the https site, then its fine.

If the link does not originate in the https site, its not. Like if you literally put that link on another site, or same site using http. So if you had http://www.example.com/ and it linked to https://www.example.com/MyServlet?param1=hello then it wouldn't actually be secure because you printed out the link over plain text.

answered Oct 27 '14 at 18:56

developerwjk

8,619
2
17
33

thanks @developerwjk, what if I sent the link `https://www...` in an email and the user clicked the link from there? – user46688 Oct 27 '14 at 18:57
@user46688, The email is probably sent plaintext, which means anyone who can intercept the email can see what that parameter is. – developerwjk Oct 27 '14 at 18:59

Java servlet: do parameters sent with doGet() get encoded using HTTPS?

1 Answers1