To avoid this, you'd have to MAC the whole contents of the request. But HTTP proxies tend to rewrite the contents of non-secure requests, so your MACs will break and stuff will fail randomly. The only way around it is, yep, encrypt the request. Integrity without encryption fails if you have proxies that expect to be able to meddle with requests.
There are admittedly some practical reasons not to use TLS for everything right now, but they're not prohibitive -- look at Gmail or typical bank websites -- and they're diminishing with time.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds