Isn't it a functionality of the proxy to be able to see your data, and not a flow?
you are using charles' certificate so of course the proxy see your data to be able to re-encrypt it to send to the server.
the communication is encrypted and nobody can read the content (unless you trust a man-in-the-middle certificate instead of the owner's one), but not what you type. if you want to encrypt your own password to send you would have to type it crypted yourself, or maybe add a javascript function to encrypt it first before sending the GET or POST request and the server would have to decrypt it first before checking it with the database.
But even encrypted, it would not be enough unless you are using SSL/TLS for that and generate a trusted key for the current connexion. because if you just encrypt it with a salt, someone "in the middle" can use the same encrypted string and the server would decrypt it.
the full stream is already encrypted, it's up to you to verify who provide the certificate to be sure nobody is reading your content.