Is Symmetric Key Exchange over HTTPS safe?
I am auditing a webapplication that gives access to a financial backend. The web application provides the frontend in a HTTPS session properly encrypted, and after the client authenticating inside the system, it sends the symmetric key that will be used for further communication (between the client and the server) as a GET request back to the server, and it puts the key information as a value inside the HTTP header. The symmetric key is used to handle another portion of traffic exchange outside the web frontend.
I know that HTTPS encrypts everything, including the HTTP header, but is relying only on HTTPS to share the symmetric key for the post-encryption process safe? Is it a good practice? Encrypting the key value, before sending it as a value inside the HTTP header is still needed even if you have an already secure line established (HTTPS)?
