2

So I'm working on a application where a access tokens(JWT,Using spring security) is used authenticate a user the tokens are encrypted and stored in a httponly cookie (ngx-cookie) and the access token has validity of 24hrs and a new token is issued if expired ,currently I'm working on localhost and the bearer token is visible in the headers in the network tab whenever I make an api call. My question is when the application is live and over https(SSL) will the headers and the payload data will be still visible or hidden/encrypted ?

Currently new to programming so any guidance will be very helpful.

Bearer tokens are shown only for failed api calls not sure how and why

enter image description here

BHL
  • 125
  • 2
  • 11
  • 1
    Does this answer your question? [Are HTTPS headers encrypted?](https://stackoverflow.com/questions/187655/are-https-headers-encrypted) – derpirscher Jul 22 '21 at 21:05
  • 1
    Are you asking if the headers will still be visible to the user in browser dev tools? If so, yes. The browser has to know what the headers are in order to send them to your server. – Aurast Jul 22 '21 at 21:06
  • 1
    More relevant reading: https://stackoverflow.com/questions/34259248/what-if-jwt-is-stolen – Squiggs. Jul 22 '21 at 21:07
  • thank you @derpirscher,@squiggs ,the above articles helped have a better understanding now – BHL Jul 22 '21 at 21:13
  • @Aurast yes that was my question ,but didn't seem to understand why the bearer tokens only show up for a failed API call – BHL Jul 22 '21 at 21:13
  • @BHL are you really sure the token shows only with failed calls? You'll probably have to separate between XHR request (ie ajax calls issued from javascript) and other requests like CSS, or Img which are issued by the browser. Requests issued by the browser typically won't have any authorization headers, because that's mostly app specific. But the ajax calls issued by the webapp itself typically will have the authorization headers (if authorization is needed) – derpirscher Jul 22 '21 at 21:18
  • Understood ,yes the ajax calls need authorization ,yes I was seeing the headers(Bearer) only for failed api calls ,ill try to reproduce the issue again and update you ,thanks again for your time :) – BHL Jul 22 '21 at 21:27

1 Answers1

2

TLS (Transport layer security, earlier SSL) is the protocol responsible for handling HTTPS. In OSI reference model, TLS protocol applies to transport layer (layer 4), while HTTP protocol is an application layer (layer 7) protocol (headers are part of HTTP protocol).

Note: OSI model is a reference model while the actual implementation is the IP model which is a simplified version of the OSI mode.

In communication, data from a given layer is encapsulated/wrapped by the layer below that before sending (read more about the OSI reference model). Therefore, your HTTP data (data + headers) will always be encrypted by the transport layer with the TLS protocol when HTTPS is enabled. Therefore, your application data, including HTTP headers/body will always be encrypted before it's sent over the network. Therefore, no need to worry.

Imesha Sudasingha
  • 3,462
  • 1
  • 23
  • 34