HTTPS traffic is encrypted. The Web Proxy can pass through encrypted HTTPS traffic, serving as a
“man in the middle”, but unless the content is decrypted, the web proxy cannot apply the content-based
rules contained within access policies, for example, it cannot block executable files or scan for malware.
The HTTPS proxy can decrypt HTTPS traffic and pass it to access policies for the application of
content-based policies. The web proxy then applies access policies to the decrypted HTTPS content.

When the HTTPS proxy is enabled, HTTPS-specific rules in access policies, for example, “block HTTPS
traffic”, are disabled. The web proxy processes decrypted HTTPS traffic using rules for HTTP.

Decryption policies specify which HTTPS connections to monitor, drop, pass through, or decrypt.

Note

Handle personally identifiable information with care: If you choose to decrypt an end-user’s HTTPS
session, the Web Security appliance access logs and reports may contain personally identifiable
information. Cisco recommends that Web Security appliance administrators take care when handling this
sensitive information.

You can configure how much URI text is stored in the logs using the

advancedproxyconfig

CLI

command and the

HTTPS

subcommand. You can log the entire URI, or a partial form of the URI with the