Data that you transmit in the header can be secure as long as provider of the service uses https. I'm assuiming you are calling another service, if that service is accessible through https:// your data in the headers and body is safe.

With an https connection only the url is visible (so never put a username and password in the url parameters). But the body is alway secured from people listening in.

You are referring to a man in the middle attack, that can always happen no matter how you secure it. Somebody an always sit in between the two services and attempt to relay the information. The trick is to detect this.

If you are using http (not https) you cannot detect a man in the middle attack, everybody can listen in to your requests intercept and forward them. Simply put http is not secure.

When using an https connection all data is secured in the connection and when setting up the connection an application should validate if the certificate from the publishing party is trusted and matches the url. If the certificate is know and exactly as expected the url can be trusted, a 'man in the middle' can't both have a trusted certificate and pretent that he is the actual receiving party. Mendix natively does all the certificate and url validation.

So as long as you don't change any of the advanced security parameters, and if you always use https your data is safe from people listing in.  (for more on how/why I'd suggest researching the attack Mendix isn't any different).

Authorization is a different case, if you don't have authorization on the service anybody can call the service regardless of your security.