I understood that when securing your site through HTTPS, the URL including the query

Question

0

Asked: May 20, 20262026-05-20T10:12:23+00:00 2026-05-20T10:12:23+00:00

I understood that when securing your site through HTTPS, the URL including the query

0

I understood that when securing your site through HTTPS, the URL including the query string is encrypted and only sent once connection is made to the host so this url isnt available to eaves droppers.

However, someone has told us that this is not the case, at least in the case of iPhone to .Net (MVC) API connection and he recommended adding this sensitive information to the HTTP header.

So, can we rely on the query string being encrypted or is it best to change how we’re working and add it to the header as suggested?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-20T10:12:24+00:00

Any HTTPS connection works the same way:

Client connects to port 443 (usually, can be a different port if specified in URL) on the server, establishes a TLS session
Inside the TLS session, do HTTP: send command (“GET”), query string, HTTP Headers, and get a response

The only thing that’s unencrypted is a DNS lookup of the hostname of the server, and then the connection to the server’s IP address. Everything else is secure.

NOTE: this assumes you don’t have a proxy doing stupid stuff in the middle.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I understood that when securing your site through HTTPS, the URL including the query

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply