I am working on an application that requires me to send sensitive information through a REST API from Backend to Frontend. My intuition is that the information should be sent encrypted, so the HTTP response can't be intercepted. Using RSA, this would mean encrypting the information with a public key in backend and then decrypting it with the private key in frontend. My second intuition is that storing a private key in frontend does not really make sense since it could be retrieved by anyone and used to decrypt the sensitive information, defying the purpose of using encryption in the first place.
I did some research and it seems like it is practice to send sensitive information unencrypted. One idea was to create a separate endpoint to retrieve the private key - but how will that request be safe from interception?
The proper solution is to use HTTPS, in which TLS (Transport Layer Security) is used to encrypt the traffic between the client and the server. This requires setting up a certificate on the server, which is fairly straightforward these days with Let's Encrypt.
Within an HTTPS connection, all traffic is automatically encrypted, so you can safely write JavaScript that seemingly sends "unencrypted" information as long as you're sending it over HTTPS (I truly hope that this is what you have seen in your research - sensitive information should never ever be sent in the open, and in 2023, there is no good reason to not use HTTPS for everything except local development).
Note that this does not require an initial unsecured transfer of a key from the server to the client (which would indeed be easy to break, as you have noted). Instead, Diffie-Hellmann key exchange is used to securely exchange a random key at the start of each connection. After a secure connection has been set up, the server presents a certificate to the client to prove that it actually is the real server for the domain that the client wanted to contact. So not only does HTTPS prevent anyone but the client and the server from seeing the traffic, but you can trust that the server is who you think it is.