diff --git a/global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh b/global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh
index 3584c07..4e7b23a 100644
--- a/global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh
+++ b/global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh
@@ -1,10 +1,25 @@
 #!/bin/bash
 set -e
 
+# shellcheck source=/dev/null
 . /conf/init-cdn-db.conf
 
+# Create database named after user, then create a schema named the same as the
+# user which is also owned by that user. Because search_path (SHOW
+# search_path;) starts with "$user" by default this means any tables will be
+# created in that user-specific SCHEMA by default instead of falling back to
+# "public". This follows the "secure schema usage pattern" summarized as
+# "Constrain ordinary users to user-private schemas" from
+# https://www.postgresql.org/docs/current/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
+#
+# "In PostgreSQL 15 and later, the default configuration supports this usage
+# pattern. In prior versions, or when using a database that has been upgraded
+# from a prior version, you will need to remove the public CREATE privilege
+# from the public schema"
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	CREATE USER cdn WITH PASSWORD '$cdn_password';
+	CREATE USER cdn WITH PASSWORD '${cdn_password:?}';
 	CREATE DATABASE cdn;
 	GRANT ALL PRIVILEGES ON DATABASE cdn TO cdn;
+	\c cdn;
+	CREATE SCHEMA cdn AUTHORIZATION cdn;
 EOSQL