Skip to content

Restrict dangerous Redis commands with ACLs

Severity: highApplies to: Redis 6.x+Applies to: Redis 8.xApplies to: Valkey 8.x / 9.x
The fix/etc/redis/redis.conf
Terminal window
user app on >YOUR_SECRET ~app:* &* +@all -@dangerous -@admin

Or against a running server, without a restart:

Terminal window
redis-cli ACL SETUSER app on '>YOUR_SECRET' '~app:*' '&*' +@all -@dangerous -@admin
redis-cli CONFIG REWRITE

A handful of Redis commands do far more than read and write keys:

  • FLUSHALL / FLUSHDB erase the dataset in one call, with no confirmation.
  • CONFIG SET changes the working directory and dump filename at runtime, which is what turns Redis access into arbitrary file writes and then code execution.
  • MODULE LOAD loads a shared library — code execution by design.
  • REPLICAOF / SLAVEOF repoints the instance at an attacker’s server.
  • DEBUG does things no application needs.
  • KEYS blocks the server while it scans everything — a denial of service from a single careless call.

An application almost never needs any of them. Removing them costs nothing and takes the worst outcomes off the table even if the credential leaks.

rename-command is deprecated — this is the part most guides get wrong

Section titled “rename-command is deprecated — this is the part most guides get wrong”

Search for Redis hardening and you will be told to do this:

Terminal window
# Do not do this.
rename-command FLUSHALL ""
rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52

Redis’s own documentation now marks that method deprecated, stating it “may be removed in future versions” and that you should “use ACL rules to disallow specific commands” instead.

It is worth understanding why, because the reasoning outlives the directive:

  • It is server-wide. Renaming CONFIG removes it from your admin tooling and your monitoring too, not just from the application. ACLs are per-user, so the app loses CONFIG while an admin user keeps it.
  • It needs a restart to change, whereas ACL SETUSER takes effect immediately.
  • Renaming to an unguessable string is obscurity. The command still exists; anyone who reads your config has it.
  • It breaks clients and libraries that reasonably expect standard command names.

If you inherit a config using rename-command, it still works today. Treat it as technical debt with a deprecation notice attached, and migrate it to ACL rules.

Redis groups commands into categories, so you can deny a class rather than maintain a list that goes stale with every release:

Terminal window
+@all -@dangerous -@admin

Don’t take anyone’s word for what a category contains — including this page. Ask your server, because membership varies across versions:

Terminal window
redis-cli ACL CAT dangerous
redis-cli ACL CAT admin

Two things commonly surprise people: KEYS is in @dangerous (it’s there for the performance reason above, not a security one), and so is SHUTDOWN. If your application legitimately needs one command from a denied category, add it back explicitly rather than reopening the category:

Terminal window
+@all -@dangerous +keys