diff --git a/Cargo.lock b/Cargo.lock
index 574fe67..b9afefa 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1492,6 +1492,16 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "secrecy"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9bd1c54ea06cfd2f6b63219704de0b9b4f72dcc2b8fdef820be6cd799780e91e"
+dependencies = [
+ "serde",
+ "zeroize",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.4.2"
@@ -2425,6 +2435,7 @@ dependencies = [
  "log",
  "once_cell",
  "reqwest",
+ "secrecy",
  "serde",
  "serde-aux",
  "sqlx",
@@ -2438,6 +2449,12 @@ dependencies = [
  "uuid",
 ]
 
+[[package]]
+name = "zeroize"
+version = "1.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d68d9dcec5f9b43a30d38c49f91dfedfaac384cb8f085faca366c26207dd1619"
+
 [[package]]
 name = "zstd"
 version = "0.9.1+zstd.1.5.1"
diff --git a/Cargo.toml b/Cargo.toml
index 48ddb72..12313eb 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -28,6 +28,7 @@ tracing-log = "0.1.1"
 serde-aux = "1.0.1"
 unicode-segmentation = "1.7.1"
 tracing-actix-web = "0.5.0-beta.6"
+secrecy = { version = "0.8", features = ["serde"] }
 
 [dev-dependencies]
 reqwest = { version = "0.11", features = ["json"] }
diff --git a/src/configuration.rs b/src/configuration.rs
index 6eca71d..0d5c70c 100644
--- a/src/configuration.rs
+++ b/src/configuration.rs
@@ -1,3 +1,4 @@
+use secrecy::{ExposeSecret, Secret};
 use serde_aux::field_attributes::deserialize_number_from_string;
 use sqlx::postgres::{PgConnectOptions, PgSslMode};
 use sqlx::ConnectOptions;
@@ -19,7 +20,7 @@ pub struct ApplicationSettings {
 #[derive(serde::Deserialize)]
 pub struct DatabaseSettings {
     pub username: String,
-    pub password: String,
+    pub password: Secret<String>,
     #[serde(deserialize_with = "deserialize_number_from_string")]
     pub port: u16,
     pub host: String,
@@ -37,7 +38,7 @@ impl DatabaseSettings {
         PgConnectOptions::new()
             .host(&self.host)
             .username(&self.username)
-            .password(&self.password)
+            .password(&self.password.expose_secret())
             .port(self.port)
             .ssl_mode(ssl_mode)
     }