Redis: protected-mode and weak ACL configuration

Redis serves as a swiss-army-knife for all things data, queue, logs and more. This means it is more than probable that data in Redis is sensitive and requires proper security around it.

This is why user authentication (ACL) in Redis should use strong passwords, like any other strong-password best practice.

Using protected-mode no and also allowing a nopass user create a gap in security, it is strongly recommended to use protected-mode yes.

Problem

In redis.conf:

protected-mode no

Fix

In redis.conf:

protected-mode yes

See

Redis Security
Redis ACL

Updated about 2 months ago