diff --git a/backend/db.js b/backend/db.js
index 1a8b1634e..07d02a82f 100644
--- a/backend/db.js
+++ b/backend/db.js
@@ -16,7 +16,8 @@ function generateDbConfig() {
 			user:     cfg.user,
 			password: cfg.password,
 			database: cfg.name,
-			port:     cfg.port
+			port:     cfg.port,
+			...(cfg.ssl ? { ssl: cfg.ssl } : {})
 		},
 		migrations: {
 			tableName: 'migrations'
diff --git a/backend/lib/config.js b/backend/lib/config.js
index 23184f3e8..1a2b729e0 100644
--- a/backend/lib/config.js
+++ b/backend/lib/config.js
@@ -29,9 +29,14 @@ const configure = () => {
 		}
 	}
 
-	const envMysqlHost = process.env.DB_MYSQL_HOST || null;
-	const envMysqlUser = process.env.DB_MYSQL_USER || null;
-	const envMysqlName = process.env.DB_MYSQL_NAME || null;
+	const toBool = (v) => /^(1|true|yes|on)$/i.test((v || '').trim());
+
+    const envMysqlHost					= process.env.DB_MYSQL_HOST || null;
+    const envMysqlUser					= process.env.DB_MYSQL_USER || null;
+    const envMysqlName					= process.env.DB_MYSQL_NAME || null;
+    const envMysqlSSL					= toBool(process.env.DB_MYSQL_SSL);
+    const envMysqlSSLRejectUnauthorized	= process.env.DB_MYSQL_SSL_REJECT_UNAUTHORIZED === undefined ? true : toBool(process.env.DB_MYSQL_SSL_REJECT_UNAUTHORIZED);
+    const envMysqlSSLVerifyIdentity		= process.env.DB_MYSQL_SSL_VERIFY_IDENTITY === undefined ? true : toBool(process.env.DB_MYSQL_SSL_VERIFY_IDENTITY);
 	if (envMysqlHost && envMysqlUser && envMysqlName) {
 		// we have enough mysql creds to go with mysql
 		logger.info('Using MySQL configuration');
@@ -43,6 +48,7 @@ const configure = () => {
 				user:     envMysqlUser,
 				password: process.env.DB_MYSQL_PASSWORD,
 				name:     envMysqlName,
+				ssl:      envMysqlSSL ? { rejectUnauthorized: envMysqlSSLRejectUnauthorized, verifyIdentity: envMysqlSSLVerifyIdentity } : false,
 			},
 			keys: getKeys(),
 		};
diff --git a/docs/src/setup/index.md b/docs/src/setup/index.md
index c2296da7f..3ab5700a4 100644
--- a/docs/src/setup/index.md
+++ b/docs/src/setup/index.md
@@ -71,6 +71,10 @@ services:
       DB_MYSQL_USER: "npm"
       DB_MYSQL_PASSWORD: "npm"
       DB_MYSQL_NAME: "npm"
+      # Optional SSL (see section below)
+      # DB_MYSQL_SSL: 'true'
+      # DB_MYSQL_SSL_REJECT_UNAUTHORIZED: 'true'
+      # DB_MYSQL_SSL_VERIFY_IDENTITY: 'true'
       # Uncomment this if IPv6 is not enabled on your host
       # DISABLE_IPV6: 'true'
     volumes:
@@ -98,6 +102,16 @@ Please note, that `DB_MYSQL_*` environment variables will take precedent over `D
 
 :::
 
+### Optional: MySQL / MariaDB SSL
+
+You can enable TLS for the MySQL/MariaDB connection with these environment variables:
+
+- DB_MYSQL_SSL: Enable SSL when set to true. If unset or false, SSL disabled (previous default behaviour).
+- DB_MYSQL_SSL_REJECT_UNAUTHORIZED: (default: true) Validate the server certificate chain. Set to false to allow self‑signed/unknown CA.
+- DB_MYSQL_SSL_VERIFY_IDENTITY: (default: true) Performs host name / identity verification.
+
+Enabling SSL using a self-signed cert (not recommended for production).
+
 ## Using Postgres database
 
 Similar to the MySQL server setup: