---
title: Always Use TLS For All Connections
impact: HIGH
impactDescription: protects data in transit from eavesdropping and man-in-the-middle attacks
tags: tls, https, encryption, transport, security, php
---

## Always Use TLS For All Connections

Unencrypted data (HTTP, plain SQL, plain Redis) is easily intercepted by anyone on the network path. You must enforce TLS for all external and internal communications.

**Incorrect (unencrypted connections):**

```php
// 1. Plain HTTP API calls
$data = file_get_contents("http://api.example.com/data");

// 2. Database without encryption
$pdo = new PDO("mysql:host=db.example.com;dbname=test", "user", "pass");

// 3. Unencrypted Redis
$redis = new Redis();
$redis->connect('redis.example.com', 6379);
```

**Correct (TLS everywhere):**

```php
// 1. HTTPS for APIs
$data = file_get_contents("https://api.example.com/data");

// 2. Database with TLS (PDO MySQL)
$pdo = new PDO(
    "mysql:host=db.example.com;dbname=test", 
    "user", "pass",
    [
        PDO::MYSQL_ATTR_SSL_CA => '/path/to/ca-cert.pem',
        PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true,
    ]
);

// 3. Redis with TLS (PhpRedis)
$redis = new Redis();
$redis->connect('tls://redis.example.com', 6380, 1.5, NULL, 0, 0, [
    'stream' => [
        'cafile' => '/path/to/ca-cert.pem',
        'verify_peer' => true,
    ],
]);

// 4. Force HTTPS in Application (Laravel Middleware)
if (! $request->secure() && App::environment('production')) {
    return redirect()->secure($request->getRequestUri());
}

// 5. HSTS Header
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
```

**Checklist:**
- [ ] All external API calls use `https://`.
- [ ] Database connections use SSL/TLS attributes.
- [ ] Redis/Cache connections use `tls://`.
- [ ] HSTS headers are enabled in production.
- [ ] Web server (Nginx/Apache) redirects all HTTP traffic to HTTPS.

**Tools:** OWASP ZAP, SSLyze, Qualys SSL Labs, PHPUnit (to verify connection stubs)
