---
title: Always Use TLS For All Connections
impact: HIGH
impactDescription: protects data in transit from eavesdropping
tags: tls, https, encryption, transport, security
---

## Always Use TLS For All Connections

Unencrypted traffic exposes data to anyone on the network path - ISPs, WiFi operators, and attackers.

**Incorrect (unencrypted connections):**

```go
// HTTP API calls
resp, _ := http.Get("http://api.example.com/users")

// Unencrypted database
db, _ := sql.Open("postgres", "postgres://user:pass@localhost/db?sslmode=disable")

// Redis without TLS
client := redis.NewClient(&redis.Options{
    Addr: "localhost:6379",
})
```

**Correct (TLS everywhere):**

```go
// HTTPS for all APIs
resp, _ := http.Get("https://api.example.com/users")

// TLS for database
db, _ := sql.Open("postgres", "postgres://user:pass@localhost/db?sslmode=verify-full")

// Redis with TLS
client := redis.NewClient(&redis.Options{
    Addr: "localhost:6380",
    TLSConfig: &tls.Config{...},
})

// Force HTTPS in a Go web server
func enforceHTTPS(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        if r.Header.Get("X-Forwarded-Proto") != "https" && os.Getenv("ENV") == "production" {
            http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusMovedPermanently)
            return
        }
        next.ServeHTTP(w, r)
    })
}
```

**Checklist:**
- [ ] All HTTP → HTTPS
- [ ] Database connections encrypted (sslmode=verify-full)
- [ ] Redis/memcached TLS
- [ ] Message queues TLS
- [ ] HSTS headers enabled

**Tools:** OWASP ZAP, SSLyze, `crypto/tls`
