For production and other publicly-accessible instances, the JSON-RPC endpoint should be served over SSL on port 443, where possible, for security and ease of use. Though, soroban-rpc does not terminate ssl by itself, so will need a load-balancer or other service to terminate SSL for it.
When XDR is passed as a parameter or returned, it is always a string encoded using standard base64.
Soroban-RPC provides an OpenRPC specification document that can be used to mock, build, and/or validate both server and client software implementations. This document is used to generate all of our methods documentation pages. You can view the full specification document here. Additionally, you can experiment with this specificaiton document in the OpenRPC Playground.