A new feature is available - Encrypted Requests.
The functionality is designed to encrypt the body of requests and responses between clients (web/mobile) and the server, and reliably protects against Man-in-the-Middle (MITM) attacks on the application when used in conjunction with API Protection (Client/Server Signatures). Can be enabled in the settings of each endpoint.
Features:
- PFS model, making a first request to obtain a new ECDH key from the server and a second request to actually exchange encrypted data
- Encryption keys are unique for each request
- All operations with key information use non-retrievable storage in clients and are destroyed after the operation is completed
Limitations:
- Does not work with multipart-form data requests
- Does not work with WebSockets
Encrypted requests require more traffic, cannot be compressed, make more requests to the server, and consume server resources for encryption and decryption operations. For requests less than 1MB, encryption overhead should be less than 10ms.
P.S. A similar mechanism is used in Apple iCloud authorization when you log in via web.