Files
nym/documentation/docs/pages/developers/mix-fetch/concepts.mdx
T
mfahampshire 7c890ea0c5 TS SDK docs (#6840)
* First sweep packages + some minor tweaking

* Second sweep

* Regenerate lockfile + package.json mods

* Regenerate lockfile again

* Fix CI

* Fix CI again

* All building properly

* unblock

* Tweak examples

* Comments + readme + fix rotten unit test

* First pass docs

* Big pass

* Massive pass on new docs

* Update integrations.md w mobile

* Partial overhaul review

* new playground + big pass

* new fix lychee err

* IPR notice tweak
2026-06-09 13:31:08 +00:00

25 lines
1.1 KiB
Plaintext

---
title: "mix-fetch concepts & security"
description: "What the IPR exit sees when you route HTTP through mix-fetch, and what TLS keeps private."
schemaType: "TechArticle"
section: "Developers"
lastUpdated: "2026-06-05"
---
import { Callout } from 'nextra/components'
# Concepts & security
## Security model
`mix-fetch` follows the shared [mixnet exit security model](/developers/concepts/exit-security): the IPR exit sees your destination, and you rely on TLS to keep the payload as ciphertext to it. What that means specifically for HTTP/S:
| At the IPR exit | What's visible |
|---|---|
| HTTPS (`https://`) | Destination IP and port. Payload is TLS ciphertext, terminating at the destination rather than the IPR. |
| HTTP (`http://`) | Destination IP and port, plus the full request and response in plaintext. |
<Callout type="warning">
TLS terminates inside the WASM instance (via [`rustls`](https://docs.rs/rustls) in smolmix-wasm), not in the browser. The Mozilla CA bundle is compiled into the WASM. Mixed content rules still apply at the page level, so serve your app over HTTPS.
</Callout>