You can just add encryption to your backend private network (e.g. Wireguard)

Which has the benefit of encrypting everything and avoids the overhead of starting a TLS socket for every http connection.

If you're going that route, you may as well just do HTTPS again. If you configure your TLS cookies and session resumption right, you'll get all of the advantages of fancy post-quantum crypto without having to go back to the days of manually setting up encrypted tunnels like when IPSec did the rounds.

Wait, are some people actively downvoting advice encouraging the use of encryption in internal networks? I sure hope those people don't go anywhere near the software industry because that's utterly reckless in the post-Snowden world.

People are all over the place. I had to talk someone into SSH over VPN being double encrypted isn’t a waste.