diff --git a/.github/actions/lint-terraform/action.yaml b/.github/actions/lint-terraform/action.yaml
index 6957a0370..4fd1b2ddd 100644
--- a/.github/actions/lint-terraform/action.yaml
+++ b/.github/actions/lint-terraform/action.yaml
@@ -11,7 +11,8 @@ runs:
       shell: bash
       run: |
         asdf plugin add terraform || true
-        asdf install terraform || true
+        asdf install terraform
+        asdf current terraform
     - name: "Check Terraform format"
       shell: bash
       run: |
diff --git a/infrastructure/terraform/components/api/api_gateway_rest_api.tf b/infrastructure/terraform/components/api/api_gateway_rest_api.tf
index aadbc0be8..1b259235e 100644
--- a/infrastructure/terraform/components/api/api_gateway_rest_api.tf
+++ b/infrastructure/terraform/components/api/api_gateway_rest_api.tf
@@ -3,4 +3,8 @@ resource "aws_api_gateway_rest_api" "main" {
   body                         = local.openapi_spec
   description                  = "Suppliers API"
   disable_execute_api_endpoint = var.disable_gateway_execute_endpoint
+
+  lifecycle {
+    replace_triggered_by = [terraform_data.rest_api_security_policy]
+  }
 }
diff --git a/infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf b/infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf
new file mode 100644
index 000000000..efef825f1
--- /dev/null
+++ b/infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf
@@ -0,0 +1,11 @@
+locals {
+  rest_api_security_policy      = "SecurityPolicy_TLS12_PFS_2025_EDGE"
+  rest_api_endpoint_access_mode = "STRICT"
+}
+
+resource "terraform_data" "rest_api_security_policy" {
+  input = {
+    security_policy      = local.rest_api_security_policy
+    endpoint_access_mode = local.rest_api_endpoint_access_mode
+  }
+}
diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf
index 46c7aca72..9c68dbd3f 100644
--- a/infrastructure/terraform/components/api/locals.tf
+++ b/infrastructure/terraform/components/api/locals.tf
@@ -7,6 +7,8 @@ locals {
   openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
     APIG_EXECUTION_ROLE_ARN    = aws_iam_role.api_gateway_execution_role.arn
     AWS_REGION                 = var.region
+    SECURITY_POLICY            = local.rest_api_security_policy
+    ENDPOINT_ACCESS_MODE       = local.rest_api_endpoint_access_mode
     AUTHORIZER_LAMBDA_ARN      = module.authorizer_lambda.function_arn
     GET_LETTER_LAMBDA_ARN      = module.get_letter.function_arn
     GET_LETTERS_LAMBDA_ARN     = module.get_letters.function_arn
diff --git a/infrastructure/terraform/components/api/resources/spec.tmpl.json b/infrastructure/terraform/components/api/resources/spec.tmpl.json
index 5d3337807..5efb7ac0c 100644
--- a/infrastructure/terraform/components/api/resources/spec.tmpl.json
+++ b/infrastructure/terraform/components/api/resources/spec.tmpl.json
@@ -307,5 +307,7 @@
         }
       }
     }
-  }
+  },
+  "x-amazon-apigateway-endpoint-access-mode": "${ENDPOINT_ACCESS_MODE}",
+  "x-amazon-apigateway-security-policy": "${SECURITY_POLICY}"
 }