skills/redis-development/rules/security-auth.md

1.9 KiB

title impact impactDescription tags description alwaysApply
Always Use Authentication in Production HIGH Prevents unauthorized access to your data security, authentication, password, tls, ssl Always Use Authentication in Production true

Always Use Authentication in Production

Never run Redis without authentication in production environments.

Correct: Use password and TLS.

Python (redis-py):

r = redis.Redis(
    host='localhost',
    port=6379,
    password='your-strong-password',
    ssl=True,
    ssl_cert_reqs='required'
)

Java (Jedis):

import redis.clients.jedis.*;
import javax.net.ssl.*;
import java.security.KeyStore;

// Create SSL context with trust store and key store
KeyStore trustStore = KeyStore.getInstance("jks");
trustStore.load(new FileInputStream("./truststore.jks"), "password".toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);

JedisClientConfig config = DefaultJedisClientConfig.builder()
    .ssl(true)
    .sslSocketFactory(sslContext.getSocketFactory())
    .user("redisUser")
    .password("redisPassword")
    .build();

JedisPooled jedis = new JedisPooled(new HostAndPort("redis-host", 6379), config);

Incorrect: Connecting without authentication.

Python (redis-py):

# Bad: No authentication
r = redis.Redis(host='localhost', port=6379)

Java (Jedis):

// Bad: No authentication or TLS
UnifiedJedis jedis = new UnifiedJedis("redis://localhost:6379");

Configuration:

# redis.conf
requirepass your-strong-password
tls-port 6380
tls-cert-file /path/to/redis.crt
tls-key-file /path/to/redis.key

Reference: Redis Security