Please correct me if I'm wrong. HTTPS will encrypt the URL, but the DNS lookup i... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

olivier1664 on April 18, 2013 | parent | context | favorite | on: Secure Your REST API

Please correct me if I'm wrong. HTTPS will encrypt the URL, but the DNS lookup is in clear. So the "username:password@example.com" part will be sniffable/loggable.

http://stackoverflow.com/questions/499591/are-https-urls-enc...

jewel on April 18, 2013 [–]

That's incorrect. The URI library will parse the URL into a hostname, username, and password. Only the hostname is sent to the DNS server.

The username and password are sent in the "Authorization" HTTP header, which will be encrypted.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact