HIGHSecuritysmallManaged Databases

Grant least-privilege roles; never let apps use superuser

Create scoped application roles with only the privileges they need; reserve superuser/owner accounts for migrations and admin.

Why This Matters

A leaked superuser/owner credential lets an attacker read, alter, or drop the entire database with no guardrails.

Related Rules

Configure Connection Pooling

Performance

CRITICAL

Verify Backup and Recovery Configuration

Architecture

CRITICAL

Use Database Branching for Migrations

Architecture

HIGH

Require TLS/SSL on all database connections

Security

HIGH

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and dozens more. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why this matters

Applications that connect as the database owner or superuser can drop tables, disable RLS, and read everything. If that credential leaks, the blast radius is the whole database. Give each app a narrowly scoped role.

-- Bad: app connects as owner/superuser
GRANT ALL PRIVILEGES ON DATABASE app TO app_user;
 
-- Good: scoped role with only what it needs
CREATE ROLE app_user LOGIN;
GRANT CONNECT ON DATABASE app TO app_user;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO app_user;