---
title: TLS Encryption For All Connections
impact: CRITICAL
impactDescription: protects data in transit and ensures server identity verification
tags: tls, encryption, https, transport, security, php
---

## TLS Encryption For All Connections

To maintain data confidentiality and integrity, all network traffic—including communication between your application and users, and between your application and internal services (databases, caches)—must be encrypted using TLS.

**Incorrect (unencrypted connections):**

```php
// Plain HTTP
file_get_contents("http://internal-service/api");

// Database without TLS/SSL flags
$dsn = "mysql:host=db.production;dbname=secret";
$pdo = new PDO($dsn, "user", "pass");
```

**Correct (enforced TLS):**

```php
// 1. Mandatory HTTPS for all service calls
$response = $httpClient->get("https://internal-service/api");

// 2. Enforced TLS for Database
$pdo = new PDO($dsn, "user", "pass", [
    PDO::MYSQL_ATTR_SSL_CA    => '/etc/ssl/certs/ca-certificates.crt',
    PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true
]);

// 3. Ensuring the PHP application knows it is behind HTTPS (for link generation)
// In Laravel (AppServiceProvider.php)
if (App::environment('production')) {
    URL::forceScheme('https');
}
```

**Global Compliance Requirements:**
- **Redirects**: All `http://` requests must return a `301` redirect to `https://`.
- **HSTS**: Broadly implement `Strict-Transport-Security` headers (min-age 1 year).
- **Modern TLS**: Use TLS 1.2 or 1.3 only; disable SSLv3, TLS 1.0, and TLS 1.1.
- **Verification**: Always verify server certificates (`verify_peer => true`). Never disable verification to "make it work" in dev environments.

**Tools:** `SSLyze`, `nmap` (with ssl-enum-ciphers), `Qualys SSL Labs`, `SecurityHeaders.com`