When using HTTP for remoting, headers are not encrypted. But body is always encrypted when using NTLM, CredSSP or Kerberos - the GSSAPI supported protocols. If user doesn't want to use these and opts for basic auth or some other protocol that doesn't have encryption specified, https is useful.