• caglararli@hotmail.com
  • 05386281520

Do I need a 2nd layer of encryption through secured site (HTTPS/SSL/TLS)?

Çağlar Arlı      -    2 Views

Do I need a 2nd layer of encryption through secured site (HTTPS/SSL/TLS)?

For example, if I were to send a post request to a /login route, would that payload already be encrypted if the API URL is HTTPS? As far as I know, if it is in HTTPS, then the payload is already encrypted.

Another example is sending a post request that involves transferring money. Is SSL/TLS secure enough to not need a second layer of encryption using a crypto library?

I am working on a project with sensitive data, but I also don't want it to be needlessly complex with second layer of encryption if HTTPS/SSL/TLS is already enough to secure it.

Currently, the code base I am working on uses a list of keys (30 keys), the key to be used for encryption is picked randomly within that list.

The list of keys are stored in an .env file of both frontend and backend, which I thought was weird. Isn't that insecure since all the 30 keys are exposed on the frontend. I already asked various LLMs about this, All of them agree that this way encrypting payload is flawed and insecure, and not necessary since HTTPS already secures the payload. So, fellow humans, is there any advice you can give me to prevent MITM attacks? is the AI's advice correct?