So i checked with HTTPDebugger - another sinffer program. SSL works well when https. No Post / get params visible!
Thank you all for discussion - explanation found!
You should do authorization of upload requests via some mechanism. HTTP supports some inbuilt mechanisms. "Basic" authentication means user+password must be passed with the request. This is obviously a bad way of working when using http, though it is somewhat mitigated by using SSL, though in theory a proxy-in-the-middle attack with suitable fake certificates (or a suitably compromised browser) could in theory be used to steal the password. To prevent at least sending the password over the wire you can in general therefore use "Digest" authentication (https://tools.ietf.org/html/rfc2617) instead. (Don't know/haven't checked whether UniGUI supports this or not, though I assume it should be possible one way or another...)
Other approaches include issuing/using access tokens (some random key) that is passed with the requests, where you associate the token with a user's account and can then monitor token usage for abuse and expire them as needed. (See , "Persistent authentication Tokens".)
As an aside: The current "remember me" demo application is in this respect really bad currently, as it stores the user/pass in cookies on the browser that can be easily read/stolen.
Ideally it should be improved to (at least) use the access-token approach outlined above, or to at least not use the actual password but a digest/hash instead and store this encrypted. I was thinking of improving it. Would it be an ideal to publish the demo applications on Github (or perhaps on BitBucket as a private repo with explicit invites if making it public is not agreeable) so that we can make improvements?
I include some relevant links from my bookmarks for the benefit of readers: