diff --git a/core/cmd/shell.go b/core/cmd/shell.go
index 5ae9f29b360..05400112668 100644
--- a/core/cmd/shell.go
+++ b/core/cmd/shell.go
@@ -540,10 +540,15 @@ func NewAuthenticatedHTTPClient(lggr logger.Logger, clientOpts ClientOpts, cooki
 }
 
 func newHttpClient(lggr logger.Logger, insecureSkipVerify bool) *http.Client {
+	tlsConfig := &tls.Config{InsecureSkipVerify: insecureSkipVerify}
+	if !insecureSkipVerify {
+		tlsConfig.MinVersion = tls.VersionTLS12 // Enforce TLS 1.2 minimum for production security
+	}
+
 	tr := &http.Transport{
 		// User enables this at their own risk!
 		// #nosec G402
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureSkipVerify},
+		TLSClientConfig: tlsConfig,
 	}
 	if insecureSkipVerify {
 		lggr.Warn("InsecureSkipVerify is on, skipping SSL certificate verification.")