[slagfart]

I think, with Postgres, if you have:

1. A dedicated read-only schema

2. A dedicated user, with only CONNECT to the read-only schema

3. A unique password

4. A dedicated read-only replica DB

you should be safe against pretty much everything.

I'd actually like to be corrected if I'm wrong - this is how I've built numerous externally-facing services.

[philip1209]

For non-secured connections, a snooper could still gain full access to all production data.

[slagfart]

How? Even with the password for this user, you could still only gain access to the read-only schema.

Something I should have spelled out - the read-only schema has only the data that the charts need (heavily aggregated views). We basically build with the assumption that the schema will be compromised, but only that one schema.

[andrewstuart2]

Without ssl all that data can be observed in transit between your read-only schema and the consuming service. There's very low risk to integrity (i.e. nobody can modify data via read-only methods), but complete list of confidentiality.

[dx034]

I think it was related to the "with or without SSL". Obviously the data you send can be intercepted without SSL but no other data (and with SSL not even that).