← Back to glossary

Encryption in Transit

cryptography Intermediate

Also Known As

TLS HTTPS mTLS in-transit encryption transport security

TL;DR

Encrypting data moving between systems using TLS — protecting against interception, tampering, and man-in-the-middle attacks on all network communication.

Explanation

Encryption in transit uses TLS (Transport Layer Security) to protect data between: browsers and web servers (HTTPS), services communicating internally (mTLS), application servers and databases, and message queues. HTTPS alone is insufficient if internal traffic is unencrypted — an attacker who compromises an internal network segment can intercept database credentials. Mutual TLS (mTLS) requires both parties to present certificates, eliminating the need for credentials in service-to-service communication.

Common Misconception

✗ HTTPS means all traffic is encrypted — HTTPS encrypts the browser-to-server leg; database connections, internal service calls, and message queue connections are often unencrypted unless explicitly configured.

Why It Matters

A PHP application using HTTPS but connecting to MySQL over an unencrypted connection leaks database credentials and query results to anyone on the same network segment.

Common Mistakes

MySQL connection without SSL — credentials and all data in plaintext on the network.
CURLOPT_SSL_VERIFYPEER = false — disables certificate verification, enabling MITM.
Internal microservice communication over plain HTTP — encrypted external, unencrypted internal.
Not using HSTS — allows the first request to be downgraded from HTTPS to HTTP.

Code Examples

✗ Vulnerable

// Unverified TLS — MITM possible:
$ch = curl_init('https://payment-api.internal');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Never!

// MySQL without SSL:
$pdo = new PDO('mysql:host=db.internal', 'user', 'pass');
// Credentials and queries in plaintext

✓ Fixed

// Verified TLS:
$ch = curl_init('https://payment-api.internal');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);    // Default — keep it
curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/ca-certificates.crt');

// MySQL with TLS:
$pdo = new PDO(
    'mysql:host=db.internal;ssl_ca=/etc/ssl/mysql-ca.pem',
    'user', 'pass',
    [PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true]
);

// mTLS with client certificate:
curl_setopt($ch, CURLOPT_SSLCERT, '/certs/client.crt');
curl_setopt($ch, CURLOPT_SSLKEY,  '/certs/client.key');

References

↗ https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html

Tags

cryptography security networking

Added 16 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 1

No pings yesterday

Perplexity 12 Amazonbot 8 SEMrush 3 ChatGPT 2 Unknown AI 2 Google 2 Ahrefs 2 Majestic 1

Also referenced

Public Key Infrastructure (PKI) 27 Man-in-the-Middle Attack (MitM) 27 HTTP Strict Transport Security (HSTS) 23 TLS Handshake 18

How they use it

crawler 32

Related categories

security 4k networking 498 cryptography 416

⚡ DEV INTEL Tools & Severity

🔴 Critical ⚙ Fix effort: Medium

⚡ Quick Fix

Enforce HTTPS for all traffic and between all internal services — use mTLS for service-to-service communication and verify CURLOPT_SSL_VERIFYPEER is never disabled in PHP

📦 Applies To

any web api cli

🔗 Prerequisites

TLS Handshake SSL/TLS Certificate Types HTTP Strict Transport Security (HSTS)

🔍 Detection Hints

HTTP instead of HTTPS internal service calls; CURLOPT_SSL_VERIFYPEER false; PHP talking to Redis without TLS in production

Auto-detectable: ✓ Yes semgrep ssllabs owasp-zap

⚠ Related Problems

TLS Handshake Man-in-the-Middle Attack (MitM) HTTP Strict Transport Security (HSTS)

🤖 AI Agent

Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File

CWE-319 CWE-311