Security Considerations for Redis Software

Securing Redis Software requires thoughtful configuration across user access, encryption, authentication, and system visibility. This guide outlines the most critical security practices for engineering teams, covering access controls (RBAC, ACLs, LDAP), TLS and certificate management, audit logging, and common issues. Use this as a foundational checklist when hardening production clusters or aligning Redis environments with internal security policies.

Security vulnerabilities and CVEs: If you are looking for information about Redis vulnerabilities, CVEs, security advisories, or security patches, start with the Redis Trust Center.
The Redis Trust Center provides official Redis security and compliance information, including vulnerability updates, reports, policies, and security review resources. 

Security Best Practices

• Deploy Redis Software in a private, trusted network (never expose it publicly).

• Enforce HTTPS for all UI and API access.

• Set antivirus exclusions for critical paths like:

  •  /opt/redislabs (main installation directory)

  • /opt/redislabs/bin (binaries for utilities)

  • /opt/redislabs/config (system configuration files)

  • /opt/redislabs/lib (system library files)

  • /opt/redislabs/sbin (system binaries for provisioning).

• Use an odd number of nodes (minimum 3) for HA quorum.

• Forward logs to a remote syslog server for secure, long-term retention.

User Access (RBAC & ACLs)

Recommendations:

• Use Role-Based Access Control (RBAC) for the admin console, API, and DBs.

• Create Access Control Lists (ACLs) for scoped, reusable permission sets.

• Restrict app users from accessing the control plane.

• Deactivate the default user once access policies are configured.

  • Enabled by default for backward compatibility with applications built before Redis Enterprise 6.

  • If your application uses ACLs, disabling the default user is recommended to enforce stricter access controls.

Configuration Steps:

1. Log into the admin console → Security

2. Create roles with scoped permissions

3. Assign users to appropriate roles

4. Verify access via test logins

5. Remove or deactivate the “default” user

Cluster Security

• Control the level of access to your system: Redis Software lets you decide which users can access the cluster, which users can access databases, and which users can access both. We recommend preventing database users from accessing the cluster.

• Enable LDAP authentication: If your organization uses ‌LDAP, we recommend enabling the Redis Software support for role-based LDAP authentication.

• Require HTTPS for API endpoints: Redis Software comes with a REST API to help automate tasks. This API is available in both an encrypted and unencrypted endpoint for backward compatibility. You can disable the unencrypted endpoint with no loss in functionality.

Database Security

Recommendations:

• Enforce strong, complex passwords for database users that align with your organization’s security policy.

• Set policies for password expiration and rotation.

• Consider using password managers for secure password generation and storage.

• Regularly audit password strength across all database users.

• Deactivate the default user (enabled by default for legacy support).

To Deactivate the Default User:

Important: Ensure alternative authentication methods are configured before deactivating.

1. Admin console → Databases → Users

2. Select the “default” user

3. Click Deactivate

4. Validate with a test connection

TLS & Certificate Authentication

Recommendations:

• Enable TLS for all connections, client, node-to-node, proxies, syncers. Configure TLS protocols to support your security and compliance needs.

• Use CA-signed certificates for production environments. Redis implements self-signed certificates for the database proxy and replication service by default, but many organizations prefer to use their own certificates.

• Rotate certificates regularly; monitor expiration dates.

• Enable mTLS if mutual client-server authentication is required.

• Configure cipher suites to meet internal security/compliance standards.

To Enable Client Certificate Authentication:

1. Generate client cert signed by internal CA

2. Admin console → Security → Upload Certificates

3. Configure the database to require certificate-based authentication

4. Test connection with a valid certificate

LDAP Authentication

Recommendations:

• Enable LDAP via the Security tab in the admin console

• Map LDAP groups to RBAC roles

• Ensure proper network access from Redis Software to the LDAP server

Monitoring & Auditing

Recommendations:

• Enable comprehensive auditing for:

  • Logins

  • Role/config changes

  • Failed authentication attempts

• Forward all logs to a remote syslog server

• Set up alerting for suspicious or failed events

Troubleshooting Common Issues