Why am I able to access a hobby-dev Postgres in Heroku without SSL?
This is my Node code:
const { Client } = require('pg');
const connectionString = process.env.DATABASE_URL;
const client = new Client({
connectionString: connectionString,
ssl: false
})
heroku pg:credentials:url DATABASE returns sslmode=require yet I am also able to connect remotely with psql DATABASE_URL without the sslmode=require as a query param.
According to Heroku docs and code samples it shouldn't be the case. The only thing that could explain it is that Heroku does not support encryption at rest on the Hobby tier so why should it in transit?
I contacted Heroku support and the response I got is that it's currently not enforced on the server side
Their data team confirms this is a "known-but-undocumented" thing. The docs unfortunately are misleading e.g. here and here:
If you leave off sslmode=require you will get a connection error