Is it possible to connect to the Heroku Postgres database through a web application without the risk of dropping the table?
I am creating a Heroku application for a third party that uses Heroku Postgres for a backend. The third party is very sensitive to security, so I am considering applying "Layered security" throughout the application. So, for example, checking for SQL injection attacks at the web level. Using the Layered security approach, I must also protect the database in the event that a potential SQL injection attack is missed, which could lead to the loss of the database table.
In other systems that I built, there will be at least two users in the database. Firstly, the database administrator who creates / deletes tables, indexes, triggers, etc. And an application user who will work with less privileges than a database administrator who could only insert and update records, for example.
In Heroku Postgres settings there is no way to create another user with less privileges (without the "drop table" option). Therefore, the application must connect to the Heroku Postgres user by default, so there may be a risk of having a βdrag and drop tableβ.
I am running the Heroku Postgres Crane add-in.
Has anyone come across this or created any creative work for this scenario?
source share