Skip to content

Require authentication with Redis ACL users

Severity: criticalApplies to: Redis 6.x+Applies to: Redis 8.xApplies to: Valkey 8.x / 9.x
The fix/etc/redis/redis.conf
Terminal window
user default off
user app on >REPLACE_WITH_LONG_RANDOM_SECRET ~app:* &* +@all -@dangerous

Generate a real secret rather than inventing one:

Terminal window
openssl rand -base64 48

Then restart, and update your application’s connection string to authenticate as app.

Redis executes whatever it is told. Without authentication, anyone who reaches the port can read every key, delete the dataset with a single FLUSHALL, and — via CONFIG SET — write files as the Redis user, which is a well-trodden path to code execution.

Authentication is the layer that survives a network mistake. It is not the primary control — binding is — but it is what stands between a misconfigured firewall rule and a total compromise.

Since Redis 6, ACLs are the recommended authentication method, and requirepass is a compatibility layer that simply sets the password for the default user. It is not a separate, simpler system — it is one shared account with unlimited permissions.

That distinction is the whole argument:

requirepass ACL users
Identity One shared secret Named users
Permissions Everything Scoped per user
Rotation Restart every client at once Per user
Audit Cannot tell callers apart ACL WHOAMI, per-user

Turning off default and creating a named user for each caller costs one line each and gives you the thing shared secrets can never give you: the ability to revoke one client without breaking the rest.

user app on >secret ~app:* &* +@all -@dangerous
Token Meaning
on Account enabled
>secret Add this password
~app:* May only touch keys matching app:*
&* May use any pub/sub channel
+@all -@dangerous Allow everything except the dangerous category

Key patterns are the underused half. A cache user scoped to ~cache:* cannot read your session keys even if the credential leaks — that’s a blast-radius reduction no password length gives you.

For an aclfile instead of inline config, see restricting commands, which covers the category rules in detail.