-1

Let's say I hit an endpoint http://10.20.30.11/userData which gets redirected to https://10.20.50.12/userData, how would this secure the userData? Wouldn't the userData be exposed during the original request?

Reference: How to redirect all HTTP requests to HTTPS

This article asks how to redirect for 'security'.

Muhammad Safi
  • 363
  • 1
  • 4
  • 16
  • 1
    Yes it would be insecure and vulnerable to eavesdropping. The idea of https that you link directly to it, or you redirect to it and THEN ask for user data. The real question here is: why would you give anyone or let anything generate an insecure link that contains user data in the first place? – Roemer Jun 02 '18 at 22:25
  • @Roemer you assume it is Get and no 301 – Sentinel Jun 02 '18 at 22:40

1 Answers1

1

There is no reason for you to assume that the userData would be exposed. This invalidates the question.

Sentinel
  • 3,582
  • 1
  • 30
  • 44
  • 1
    Yes, the only thing that's at risk is any payload data you provide. This includes the path and any forms you send with the original request. Regardless of protocol, anyone listening can see the source and destination IP. Everything else is encrypted in HTTPS. – killjoy Jun 02 '18 at 22:27
  • @killjoy And even if it was a post, which is not explicit, a permanent redirect to https is often enforced by the browser, after a secure 301, not by the server. – Sentinel Jun 02 '18 at 22:34