Add doc for ssl rejectUnauthorized: false (#126)

karlhorky · web-flow · commit 749684bd0a18 · 2020-12-13T18:21:52.000+01:00
Ref: #38 (comment)
diff --git a/README.md b/README.md
@@ -72,7 +72,18 @@ const sql = postgres('postgres://username:password@host:port/database', {
 })
 ```
 
-More info for the `ssl` option can be found in the [Node.js docs for tls connect options](https://nodejs.org/dist/latest-v10.x/docs/api/tls.html#tls_new_tls_tlssocket_socket_options)
+Although it is [vulnerable to MITM attacks](https://security.stackexchange.com/a/229297/174913), a common configuration for the `ssl` option for some cloud providers like Heroku is to set `rejectUnauthorized` to `false` (if `NODE_ENV` is `production`):
+
+```js
+const sql =
+  process.env.NODE_ENV === 'production'
+    ? // "Unless you're using a Private or Shield Heroku Postgres database, Heroku Postgres does not currently support verifiable certificates"
+      // https://help.heroku.com/3DELT3RK/why-can-t-my-third-party-utility-connect-to-heroku-postgres-with-ssl
+      postgres({ ssl: { rejectUnauthorized: false } })
+    : postgres();
+```
+
+More info for the `ssl` option can be found in the [Node.js docs for tls connect options](https://nodejs.org/dist/latest-v10.x/docs/api/tls.html#tls_new_tls_tlssocket_socket_options).
 
 ### Environment Variables for Options
 
