---
title: TLS Encryption For All Connections
impact: CRITICAL
impactDescription: protects data in transit from interception
tags: tls, encryption, https, transport, security
---

## TLS Encryption For All Connections

All network communications must use TLS to prevent eavesdropping and man-in-the-middle attacks.

**Incorrect (unencrypted connections):**

```go
// HTTP instead of HTTPS
http.Get("http://api.example.com/data")

// Unencrypted database connection
sql.Open("postgres", "host=db.example.com sslmode=disable")
```

**Correct (TLS everywhere):**

```go
// HTTPS for all external calls
http.Get("https://api.example.com/data")

// TLS for database
sql.Open("postgres", "host=db.example.com sslmode=verify-full")

// HSTS header in Go
func hstsMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
        next.ServeHTTP(w, r)
    })
}
```

**Requirements:**
- All HTTP endpoints must redirect to HTTPS
- Database connections must use TLS (verify-full)
- Internal service-to-service calls (gRPC/HTTP) must use TLS
- HSTS headers should be enabled

**Tools:** `crypto/tls`, SSLyze, Qualys SSL Labs
