XML is as secure as HTML. Just as HTTPS can be used to add encryption to HTTP, protecting HTML, it can be used to protect XML.
XML is text-based in format to represent structured data. This maximizes simplicity and interoperability with the data. A number of steps can be taken to add security and authentication to the XML format. First, XML can be encrypted on the server before transmission to the client, then decrypted on the client. In addition, XML can be authenticated by digital signatures applied to the data itself.