Does HTTPS Encrypt the URL? A Detailed Look at TLS Handshake, SNI, and Record Protocol Integrity

In response to an interview question, the author confirms that HTTPS encrypts the URL because HTTPS encrypts the entire HTTP message, including both the HTTP header (where the URL resides) and the body.

For HTTP/1.1 the request line contains the method and path, which are part of the header; therefore they are encrypted under TLS. The article shows a typical HTTP/1.1 request header and notes that in HTTP/2 the same information appears as pseudo‑headers (:method and :path).

Although the encrypted traffic hides the URL, the domain name is still exposed during the TLS handshake: the Client Hello message carries a Server Name Indication (SNI) extension that contains the requested host name, making the domain visible to observers.

The author then explains how HTTPS guarantees integrity: after the TLS handshake negotiates a symmetric key, the TLS record protocol processes application data by fragmenting, optionally compressing, appending a Message Authentication Code (MAC) for integrity, encrypting the result with the symmetric cipher, and finally adding a record header containing type, version, and length before transmission over TCP.

Thus, HTTPS provides both confidentiality (including URL encryption) and integrity, while the domain name can still be inferred from the handshake.