Redis Security

It is important that the Redis database is secured so that any unwanted user is unable to access the data. Security is also required to restrict an attacker from executing a command, like FLUSHALL, which can delete the entire data.

Redis supports a very basic security system to protect the connection between the client and the server via a plain-text password. To secure Redis, the password should be set in the config file.

Redis only supports basic security mechanisms. Anyone who knows the password can access the data in Redis. It is not possible to have users with different permission levels in Redis.

How Redis is secured

By default, authentication is not enabled in Redis. It can be enabled through the requirepass configuration. To check if authentication is enabled, a user can run the following command:

config get requirepass

As you can see in the example below, the password field is blank. This means the authentication is not enabled.

We can enable it by setting the password as shown below.

config set requirepass password

Now if a user tries to read or write data to Redis, they will get a NOAUTH authentication required error, as shown below.

The user will need to authenticate with the Redis server. After they have done this, they can store and retrieve data from Redis. The user can authenticate using the command below:

AUTH password

Now that the user is authenticated, they can execute commands on this instance.