Open-Source Wikis

/

Redis

/

Security

redis/redis

Security

Security-relevant guarantees, surfaces, and configuration options.

This page summarises operationally important security topics. The implementation details are in ACL & security.

Threat model

Redis assumes the network it runs on is trusted. By default it binds to localhost (127.0.0.1 -::1) and refuses to start in "protected mode" if you bind to a public interface without setting a password or requirepass. Even so, Redis is not designed to withstand untrusted-client attacks beyond reasonable input sanitisation:

  • Commands that admit arbitrary writes (CONFIG SET dir, MODULE LOAD, DEBUG) can compromise the host. They are gated by ACL or by enable-*-command flags but assume operators have made deliberate decisions.
  • Lua scripts run in a sandbox but the sandbox is hardened against the curious, not against adversaries with persistent compute budget.

Production deployments should:

  • Bind to a private interface or use TLS.
  • Require ACL-based authentication.
  • Keep enable-debug-command no and enable-module-command no in production.
  • Restrict who can call CONFIG, DEBUG, MODULE, SLAVEOF/REPLICAOF, FLUSHDB/FLUSHALL, SHUTDOWN, MIGRATE.

Authentication

Two paths:

  • Inline requirepass — sets the password for the default user. Backwards-compatible with old clients that issue AUTH <password>.
  • ACL usersACL SETUSER alice on >pwd ~obj:* +@read. Users are stored in memory; aclfile provides persistence. See ACL & security.

Failed auth attempts are logged in the ACL log (ACL LOG) and are visible to operators.

Authorisation (ACL)

ACL gates:

  • Which commands a user can run (per-command, per-category).
  • Which keys they can read/write (glob patterns).
  • Which Pub/Sub channels they can publish/subscribe (glob patterns).

Each connection is associated with a user; every command goes through an aclCheckAllPerm check before dispatch. A failed check returns -NOPERM ....

Module-defined commands inherit categories at registration time; modules can also register custom auth callbacks (LDAP, SSO, etc.) via RedisModule_RegisterAuthCallback.

Transport encryption (TLS)

src/tls.c provides TLSv1.2/1.3 over OpenSSL. Configure:

  • tls-port — TLS-only listener.
  • tls-cert-file, tls-key-file — server cert/key.
  • tls-ca-cert-file — for client cert validation.
  • tls-auth-clients yes/no/optional — require/accept/ignore client certs.
  • tls-protocols, tls-ciphers, tls-ciphersuites — protocol versions and cipher suites.
  • tls-cluster, tls-replication — also use TLS for cluster bus and replication.

For mTLS deployments, set tls-auth-clients yes and configure ACL users to map to certificate CNs (often via a module-defined auth callback).

Encryption at rest

Redis does not encrypt RDB or AOF files. If at-rest encryption is required, use OS-level disk encryption (LUKS, dm-crypt) or run on encrypted volumes.

Secrets in the config file

Passwords in redis.conf (requirepass, masterauth, aclfile users) are stored in plaintext. Operators should:

  • Restrict the file's permissions (chmod 600).
  • Avoid checking redis.conf into version control if it contains secrets.
  • Prefer aclfile over inline user directives — aclfile paths can have stricter permissions and are less likely to be casually shared.

In recent versions the password fields are masked when surfaced via CONFIG GET. This isn't a true secret-management story; it just keeps MONITOR output cleaner.

Command-injection mitigations

  • Lua scripts are sandboxed; no filesystem, network, or arbitrary OS calls. The bundled extensions (cjson, cmsgpack, bitop, struct) are vetted.
  • Commands like MIGRATE and RESTORE accept binary blobs that the server validates structurally before deserialising. A malformed RESTORE blob returns -DUMP payload version or checksum are wrong rather than crashing.
  • The crash handler intentionally raises the original signal after dumping, so the OS produces a real core dump; nothing in redis-server swallows SIGSEGV silently.

Surface controls

Option Default Effect
protected-mode yes Refuse external connections without auth.
enable-protected-configs no Refuse CONFIG SET of dir, dbfilename, etc.
enable-debug-command no Hide DEBUG.
enable-module-command no Hide MODULE.
loadmodule (none) Modules to preload. Each one is a host-level trust decision.

For a strict production deployment, the recommended set is:

protected-mode yes
enable-protected-configs no
enable-debug-command no
enable-module-command no
requirepass <strong-password>      # or full ACL config
bind 10.0.0.1 -::1                  # private interface only
tls-port 6379
port 0                              # disable plaintext
tls-auth-clients yes

Reporting security issues

Security disclosures go via SECURITY.md in the repository root, which directs reports to the Redis security team. CVE history is in the upstream redis-doc repo.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Security – Redis wiki | Factory