diff --git a/.changeset/eight-suits-boil.md b/.changeset/eight-suits-boil.md
new file mode 100644
index 0000000000..19120c5689
--- /dev/null
+++ b/.changeset/eight-suits-boil.md
@@ -0,0 +1,5 @@
+---
+"@core/electric": patch
+---
+
+Bring back the enforcement of SSL use for database connections. The default value was changed to `false` in v0.9.1 by accident. This version restores the intended behaviour. To use unencrypted database connections, you must explicitly configure Electric with DATABASE_REQUIRE_SSL=false.
diff --git a/components/electric/config/runtime.exs b/components/electric/config/runtime.exs
index 914bfd9561..544469c713 100644
--- a/components/electric/config/runtime.exs
+++ b/components/electric/config/runtime.exs
@@ -214,22 +214,32 @@ connector_config =
     #      database will be treated as a fatal error.
     #
     #   2. Or it is not required, in which case Electric will still try connecting with SSL first
-    #      and will only fallback to using unencrypted connection if that fails.
+    #      and will only fall back to using unencrypted connection if that fails.
     #
     # When DATABASE_REQUIRE_SSL is set by the user, the sslmode query parameter in DATABASE_URL is ignored.
     require_ssl? =
       case {require_ssl_config, conn_config[:sslmode]} do
-        {nil, :require} -> true
-        {nil, _} -> false
-        {nil, nil} -> default_database_require_ssl
-        {true, _} -> true
-        {false, _} -> false
+        {nil, nil} ->
+          # neither DATABASE_REQUIRE_SSL nor ?sslmode=... are present, use the default setting
+          default_database_require_ssl
+
+        {true, _} ->
+          # DATABASE_REQUIRE_SSL=true: require database connections to use SSL
+          true
+
+        {nil, :require} ->
+          # ?sslmode=require and DATABASE_REQUIRE_SSL is not set: require database connections to use SSL
+          true
+
+        _ ->
+          # any other value of ?sslmode=... or DATABASE_REQUIRE_SSL means SSL is not required
+          false
       end
 
     # When require_ssl?=true, epgsql will try to connect using SSL and fail if the server does not accept encrypted
     # connections.
     #
-    # When require_ssl?=false, epgsql will try to connect using SSL first, then fallback to an unencrypted connection
+    # When require_ssl?=false, epgsql will try to connect using SSL first, then fall back to an unencrypted connection
     # if that fails.
     use_ssl? =
       if require_ssl? do