Insecure Design

Follow the principle of least privilege: each process, program and user should operate with the least amount of privilege required to achieve their goals. Applying this principle will mitigate the harm an attacker can do if they successfully compromise your system.

The Principle of Least Privilege

   # Connect to the database as the read-only user since we are
# not updating any information
connection = psycopg2.connect(
               dbname   = "database",
               user     = "readonly",
               password = os.getenv("DB_READONLY_USER_PASSWORD")

with connection:
  with connection.cursor() as cursor:
    cursor.execute("SELECT * FROM users WHERE email = %(email)s", dict(email=email))

    for result in cursor.fetchone():
      return result 