From ead227a27273f5b6a4cda7da89abc81741f0ba14 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@sdko.org>
Date: Mon, 17 Nov 2025 21:38:21 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 268: Disabled TLS
 certificate check

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Dominic R <dominic@sdko.org>
---
 internal/outpost/proxyv2/postgresstore/postgresstore.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/outpost/proxyv2/postgresstore/postgresstore.go b/internal/outpost/proxyv2/postgresstore/postgresstore.go
index 893404fe21..767fc87924 100644
--- a/internal/outpost/proxyv2/postgresstore/postgresstore.go
+++ b/internal/outpost/proxyv2/postgresstore/postgresstore.go
@@ -115,8 +115,8 @@ func BuildConnConfig(cfg config.PostgreSQLConfig) (*pgx.ConnConfig, error) {
 			// Set verification mode
 			switch cfg.SSLMode {
 			case "require":
-				// Don't verify the server certificate (just encrypt)
-				tlsConfig.InsecureSkipVerify = true
+				// Verify the server certificate (secure by default)
+				tlsConfig.InsecureSkipVerify = false
 			case "verify-ca":
 				// Verify the certificate is signed by a trusted CA
 				tlsConfig.InsecureSkipVerify = false