Restrict dangerous Redis commands with ACLs
/etc/redis/redis.confuser app on >YOUR_SECRET ~app:* &* +@all -@dangerous -@adminOr against a running server, without a restart:
redis-cli ACL SETUSER app on '>YOUR_SECRET' '~app:*' '&*' +@all -@dangerous -@adminredis-cli CONFIG REWRITEWhy it matters
Section titled “Why it matters”A handful of Redis commands do far more than read and write keys:
FLUSHALL/FLUSHDBerase the dataset in one call, with no confirmation.CONFIG SETchanges the working directory and dump filename at runtime, which is what turns Redis access into arbitrary file writes and then code execution.MODULE LOADloads a shared library — code execution by design.REPLICAOF/SLAVEOFrepoints the instance at an attacker’s server.DEBUGdoes things no application needs.KEYSblocks the server while it scans everything — a denial of service from a single careless call.
An application almost never needs any of them. Removing them costs nothing and takes the worst outcomes off the table even if the credential leaks.
rename-command is deprecated — this is the part most guides get wrong
Section titled “rename-command is deprecated — this is the part most guides get wrong”Search for Redis hardening and you will be told to do this:
# Do not do this.rename-command FLUSHALL ""rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52Redis’s own documentation now marks that method deprecated, stating it “may be removed in future versions” and that you should “use ACL rules to disallow specific commands” instead.
It is worth understanding why, because the reasoning outlives the directive:
- It is server-wide. Renaming
CONFIGremoves it from your admin tooling and your monitoring too, not just from the application. ACLs are per-user, so the app losesCONFIGwhile an admin user keeps it. - It needs a restart to change, whereas
ACL SETUSERtakes effect immediately. - Renaming to an unguessable string is obscurity. The command still exists; anyone who reads your config has it.
- It breaks clients and libraries that reasonably expect standard command names.
If you inherit a config using rename-command, it still works today. Treat it as
technical debt with a deprecation notice attached, and migrate it to ACL rules.
Categories beat listing commands
Section titled “Categories beat listing commands”Redis groups commands into categories, so you can deny a class rather than maintain a list that goes stale with every release:
+@all -@dangerous -@adminDon’t take anyone’s word for what a category contains — including this page. Ask your server, because membership varies across versions:
redis-cli ACL CAT dangerousredis-cli ACL CAT adminTwo things commonly surprise people: KEYS is in @dangerous (it’s there
for the performance reason above, not a security one), and so is SHUTDOWN. If
your application legitimately needs one command from a denied category, add it
back explicitly rather than reopening the category:
+@all -@dangerous +keysRelated
Section titled “Related”- Require authentication with ACL users — the user these rules attach to.
- Redis exposed to the internet — what
CONFIG SETenables.