Django project deployed to Heroku: Postgres security

I’ve setup my Django in such a way that I can access the Postgres instance in the cloud containing my production data in my local development environment by running this command in my local venv shell and in this format:


It’s a very helpful feature. I love it.

As an example, here is a Postgres instance which contains placeholder content:

export DATABASE_URL=‘postgres://’

You would think that posting the above URI on a public forum like this one is terrible security practices however Heroku gives admins a tool to generate a new Postgres username/password combo. Here is the command:

(venv) $ heroku pg:credentials:rotate

Before starting this thread, I invoked it. So the hostname, port, and name remain the same, but the new Postgres user/password is completely different.

If an attacker discovered my Postgres username, to brute force a password that is 64 characters long and a 36 charset size, this has 250 bits of entropy making it impossible to crack with current silicon.

Here is my question for all of you now: Since the username/pass is now different, for confirmation and verification, my site is still secure and my data is protected, is this correct?

In short, yes. Hopefully Heroku also set up PostgreSQL with some extra security features like rate limiting of failed auth attempts from a given IP.

To keep database servers secure it’s often recommended to place them in a private zone of a private network. This stops the server from being accessible on the public internet altogether, reducing concerns about direct brute force attacks. Heroku calls this feature private spaces and charges a significant amount of money for it since they know mostly large corporations are worried about it. Other providers do it for free, such as Amazon RDS. But probably you don’t need to worry about this until regulation or a penetration test tells you to.