diff --git a/api/src/config.ts b/api/src/config.ts
index 7ce7c60..229af2a 100644
--- a/api/src/config.ts
+++ b/api/src/config.ts
@@ -39,6 +39,7 @@ export const DB_PASSWORD = process.env.DB_PASSWORD || ""
 export const DB_DATABASE = process.env.DB_DATABASE || ""
 export const DB_PORT = parseInt(process.env.DB_PORT || "1433")
 export const DB_TRUST_SERVER_CERTIFICATE = process.env.DB_TRUST_SERVER_CERTIFICATE === "true"
+export const DB_SSL = process.env.DB_SSL === "true"
 
 export const REDIS_CONNECTION_URL = process.env.REDIS_CONNECTION_URL || ""
 
diff --git a/api/src/db/db-client.ts b/api/src/db/db-client.ts
index 283e5cc..d8f402f 100644
--- a/api/src/db/db-client.ts
+++ b/api/src/db/db-client.ts
@@ -7,8 +7,8 @@ import {
   DB_HOST,
   DB_PASSWORD,
   DB_PORT,
+  DB_SSL,
   DB_USERNAME,
-  NODE_ENV,
   SEQUELIZE_LOGGING,
 } from "@/config"
 import compactSql from "@/utils/compact-sql"
@@ -31,7 +31,7 @@ export const SEQUELIZE_CONFIG: Options<PostgresDialect> = {
   password: DB_PASSWORD,
   host: DB_HOST,
   port: DB_PORT,
-  ssl: NODE_ENV !== "production" ? false : { rejectUnauthorized: false },
+  ssl: DB_SSL ? { rejectUnauthorized: false } : false,
   schema: "public", // default - explicit for clarity
   logging: SEQUELIZE_LOGGING ? sqlLogger : false,
   pool: {
diff --git a/api/src/db/db-migration-client.ts b/api/src/db/db-migration-client.ts
index e58c15a..421091b 100644
--- a/api/src/db/db-migration-client.ts
+++ b/api/src/db/db-migration-client.ts
@@ -3,7 +3,7 @@ import path from "path"
 import knex, { Knex } from "knex"
 import { isEmpty, isNil, merge } from "lodash"
 
-import { DB_DATABASE, DB_HOST, DB_PASSWORD, DB_PORT, DB_USERNAME, NODE_ENV } from "@/config"
+import { DB_DATABASE, DB_HOST, DB_PASSWORD, DB_PORT, DB_SSL, DB_USERNAME, NODE_ENV } from "@/config"
 
 if (isEmpty(DB_DATABASE)) throw new Error("database name is unset.")
 if (isEmpty(DB_USERNAME)) throw new Error("database username is unset.")
@@ -21,17 +21,7 @@ export function buildKnexConfig(options?: Knex.Config): Knex.Config {
         password: DB_PASSWORD,
         database: DB_DATABASE,
         port: DB_PORT,
-        ssl:
-          NODE_ENV !== "production"
-            ? false
-            : {
-                require: true, // Enforce SSL
-                rejectUnauthorized: false, // Disable certificate verification (common for Azure)
-              },
-        /* options: {
-          encrypt: true,
-          trustServerCertificate: DB_TRUST_SERVER_CERTIFICATE,
-        }, */
+        ssl: DB_SSL ? { rejectUnauthorized: false } : false,
       },
       migrations: {
         directory: path.resolve(__dirname, "./migrations"),