diff --git a/classes/Config.php b/classes/Config.php
index 9cc5bc723..7be529e41 100644
--- a/classes/Config.php
+++ b/classes/Config.php
@@ -45,6 +45,9 @@ class Config {
 	/** database server port */
 	const DB_PORT = "DB_PORT";
 
+	/** PostgreSQL SSL mode (prefer, require, disabled) */
+	const DB_SSLMODE = "DB_SSLMODE";
+
 	/** this is a fallback falue for the CLI SAPI, it should be set to a fully-qualified tt-rss URL */
 	const SELF_URL_PATH = "SELF_URL_PATH";
 
@@ -219,6 +222,7 @@ class Config {
 		Config::DB_NAME => [ "", 											Config::T_STRING ],
 		Config::DB_PASS => [ "", 											Config::T_STRING ],
 		Config::DB_PORT => [ "5432",										Config::T_STRING ],
+		Config::DB_SSLMODE => [ "prefer",                        Config::T_STRING ],
 		Config::SELF_URL_PATH => [ "https://example.com/tt-rss", Config::T_STRING ],
 		Config::SINGLE_USER_MODE => [ "",								Config::T_BOOL ],
 		Config::PHP_EXECUTABLE => [ "/usr/bin/php",					Config::T_STRING ],
diff --git a/classes/Db.php b/classes/Db.php
index 0017fdf03..01239f5cb 100644
--- a/classes/Db.php
+++ b/classes/Db.php
@@ -26,8 +26,10 @@ class Db {
 	public static function get_dsn(): string {
 		$db_port = Config::get(Config::DB_PORT) ? ';port=' . Config::get(Config::DB_PORT) : '';
 		$db_host = Config::get(Config::DB_HOST) ? ';host=' . Config::get(Config::DB_HOST) : '';
+		$db_sslmode = Config::get(Config::DB_SSLMODE);
 
-		return 'pgsql:dbname=' . Config::get(Config::DB_NAME) . $db_host . $db_port;
+		return 'pgsql:dbname=' . Config::get(Config::DB_NAME) . $db_host . $db_port .
+			";sslmode=$db_sslmode";
 	}
 
 	// this really shouldn't be used unless a separate PDO connection is needed