---
title: TLS Encryption For All Connections
impact: CRITICAL
impactDescription: protects data in transit from interception and tampering
tags: tls, encryption, https, transport, security, kotlin
---

## TLS Encryption For All Connections

All network communications, whether between the client and server or between internal services, must be encrypted using TLS. Unencrypted connections (HTTP, raw JDBC) allow attackers to perform Man-in-the-Middle (MitM) attacks to steal sensitive data.

**Incorrect (unencrypted connections):**

```kotlin
// VULNERABLE: Using HTTP instead of HTTPS
val client = HttpClient(CIO)
client.get("http://api.production.sun-asterisk.vn/data")

// VULNERABLE: Unencrypted database connection
val url = "jdbc:postgresql://db.sun-asterisk.vn:5432/mydb"
```

**Correct (TLS everywhere):**

```kotlin
// 1. HTTPS for all external API calls
client.get("https://api.production.sun-asterisk.vn/data")

// 2. TLS for Database connections
val url = "jdbc:postgresql://db.sun-asterisk.vn:5432/mydb?ssl=true"

// 3. Enabling HSTS to force browsers to use HTTPS
// In Ktor:
install(HSTS) {
    maxAgeInSeconds = 31536000 // 1 year
    includeSubDomains = true
}

// 4. Redirecting HTTP to HTTPS
// In Spring Security:
// http.requiresChannel().anyRequest().requiresSecure()
```

**Requirements:**
- All endpoints must strictly use HTTPS.
- Plain HTTP requests must be redirected to HTTPS.
- Use HSTS (`Strict-Transport-Security`) headers to prevent protocol downgrade attacks.
- Ensure internal service-to-service communication is also encrypted (e.g., using a Service Mesh or internal CAs).

**Tools:** OWASP ZAP, SSLyze, Qualys SSL Labs, Manual Review
