redis/redis
Security
Security-relevant guarantees, surfaces, and configuration options.
This page summarises operationally important security topics. The implementation details are in ACL & security.
Threat model
Redis assumes the network it runs on is trusted. By default it binds to localhost (127.0.0.1 -::1) and refuses to start in "protected mode" if you bind to a public interface without setting a password or requirepass. Even so, Redis is not designed to withstand untrusted-client attacks beyond reasonable input sanitisation:
- Commands that admit arbitrary writes (
CONFIG SET dir,MODULE LOAD,DEBUG) can compromise the host. They are gated by ACL or byenable-*-commandflags but assume operators have made deliberate decisions. - Lua scripts run in a sandbox but the sandbox is hardened against the curious, not against adversaries with persistent compute budget.
Production deployments should:
- Bind to a private interface or use TLS.
- Require ACL-based authentication.
- Keep
enable-debug-command noandenable-module-command noin production. - Restrict who can call
CONFIG,DEBUG,MODULE,SLAVEOF/REPLICAOF,FLUSHDB/FLUSHALL,SHUTDOWN,MIGRATE.
Authentication
Two paths:
- Inline
requirepass— sets the password for thedefaultuser. Backwards-compatible with old clients that issueAUTH <password>. - ACL users —
ACL SETUSER alice on >pwd ~obj:* +@read. Users are stored in memory;aclfileprovides persistence. See ACL & security.
Failed auth attempts are logged in the ACL log (ACL LOG) and are visible to operators.
Authorisation (ACL)
ACL gates:
- Which commands a user can run (per-command, per-category).
- Which keys they can read/write (glob patterns).
- Which Pub/Sub channels they can publish/subscribe (glob patterns).
Each connection is associated with a user; every command goes through an aclCheckAllPerm check before dispatch. A failed check returns -NOPERM ....
Module-defined commands inherit categories at registration time; modules can also register custom auth callbacks (LDAP, SSO, etc.) via RedisModule_RegisterAuthCallback.
Transport encryption (TLS)
src/tls.c provides TLSv1.2/1.3 over OpenSSL. Configure:
tls-port— TLS-only listener.tls-cert-file,tls-key-file— server cert/key.tls-ca-cert-file— for client cert validation.tls-auth-clients yes/no/optional— require/accept/ignore client certs.tls-protocols,tls-ciphers,tls-ciphersuites— protocol versions and cipher suites.tls-cluster,tls-replication— also use TLS for cluster bus and replication.
For mTLS deployments, set tls-auth-clients yes and configure ACL users to map to certificate CNs (often via a module-defined auth callback).
Encryption at rest
Redis does not encrypt RDB or AOF files. If at-rest encryption is required, use OS-level disk encryption (LUKS, dm-crypt) or run on encrypted volumes.
Secrets in the config file
Passwords in redis.conf (requirepass, masterauth, aclfile users) are stored in plaintext. Operators should:
- Restrict the file's permissions (
chmod 600). - Avoid checking
redis.confinto version control if it contains secrets. - Prefer
aclfileover inlineuserdirectives —aclfilepaths can have stricter permissions and are less likely to be casually shared.
In recent versions the password fields are masked when surfaced via CONFIG GET. This isn't a true secret-management story; it just keeps MONITOR output cleaner.
Command-injection mitigations
- Lua scripts are sandboxed; no filesystem, network, or arbitrary OS calls. The bundled extensions (
cjson,cmsgpack,bitop,struct) are vetted. - Commands like
MIGRATEandRESTOREaccept binary blobs that the server validates structurally before deserialising. A malformed RESTORE blob returns-DUMP payload version or checksum are wrongrather than crashing. - The crash handler intentionally raises the original signal after dumping, so the OS produces a real core dump; nothing in
redis-serverswallows SIGSEGV silently.
Surface controls
| Option | Default | Effect |
|---|---|---|
protected-mode |
yes |
Refuse external connections without auth. |
enable-protected-configs |
no |
Refuse CONFIG SET of dir, dbfilename, etc. |
enable-debug-command |
no |
Hide DEBUG. |
enable-module-command |
no |
Hide MODULE. |
loadmodule |
(none) | Modules to preload. Each one is a host-level trust decision. |
For a strict production deployment, the recommended set is:
protected-mode yes
enable-protected-configs no
enable-debug-command no
enable-module-command no
requirepass <strong-password> # or full ACL config
bind 10.0.0.1 -::1 # private interface only
tls-port 6379
port 0 # disable plaintext
tls-auth-clients yesReporting security issues
Security disclosures go via SECURITY.md in the repository root, which directs reports to the Redis security team. CVE history is in the upstream redis-doc repo.
Related pages
- ACL & security — implementation details.
- Networking — listener and connection lifecycle.
- Modules — module-defined auth.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.