Redis Security

Name: Redis Security
Author: redis

redis/agent-skills

Lock down production Redis with ACL least privilege, TLS, and auth instead of a shared default-user password.

Install

npx skills add https://github.com/redis/agent-skills --skill redis-security

What is this skill?

ACL SETUSER patterns for read-only, writer (-@dangerous), and sparse admin roles
Production rule: never run Redis without authentication; TLS called out alongside passwords
redis-py connection examples for password and TLS-aware clients
Documents ACL command categories: @read, @write, @dangerous, @admin
Contrasts per-user ACLs vs a single requirepass on the default user

Adoption & trust: 1 installs on skills.sh; 70 GitHub stars; trending (+100% hot-view momentum).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Security hardening is a canonical Ship concern before you expose Redis-backed APIs to real users and traffic. ACL users, TLS, and command restrictions are applied as part of launch-ready security review, not casual dev cache setup.

SKILL.md

READMESKILL.md - Redis Security

{
  "name": "redis-security",
  "version": "1.0.0",
  "description": "Redis security hardening — authentication and TLS, ACL-based least privilege, network bind, firewall, command renaming.",
  "author": {
    "name": "Redis",
    "email": "support@redis.com"
  },
  "homepage": "https://redis.io",
  "repository": "https://github.com/redis/agent-skills",
  "license": "MIT",
  "keywords": ["redis", "security", "acl", "auth", "tls", "hardening"]
}


# Use ACLs for Fine-Grained Access Control

Create users with only the permissions they need (principle of least privilege).

**Correct:** Create specific users with limited permissions.

```
# Read-only user for cache access
ACL SETUSER app_readonly on >password ~cache:* +get +mget +scan

# Writer that can't run dangerous commands
ACL SETUSER app_writer on >password ~* +@all -@dangerous

# Admin user (use sparingly)
ACL SETUSER admin on >strong-password ~* +@all
```

**Incorrect:** Using the default user for everything.

```
# Bad: Single password for all access
requirepass shared-password
```

**ACL categories:**
- `@read` - Read commands
- `@write` - Write commands
- `@dangerous` - Commands like FLUSHALL, DEBUG
- `@admin` - Administrative commands

Reference: [Redis ACL](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/)


# Always Use Authentication in Production

Never run Redis without authentication in production environments.

**Correct:** Use password and TLS.

**Python** (redis-py):
```python
r = redis.Redis(
    host='localhost',
    port=6379,
    password='your-strong-password',
    ssl=True,
    ssl_cert_reqs='required'
)
```

**Java** (Jedis):
```java
import redis.clients.jedis.*;
import javax.net.ssl.*;
import java.security.KeyStore;

// Create SSL context with trust store and key store
KeyStore trustStore = KeyStore.getInstance("jks");
trustStore.load(new FileInputStream("./truststore.jks"), "password".toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);

JedisClientConfig config = DefaultJedisClientConfig.builder()
    .ssl(true)
    .sslSocketFactory(sslContext.getSocketFactory())
    .user("redisUser")
    .password("redisPassword")
    .build();

JedisPooled jedis = new JedisPooled(new HostAndPort("redis-host", 6379), config);
```

**Incorrect:** Connecting without authentication.

**Python** (redis-py):
```python
# Bad: No authentication
r = redis.Redis(host='localhost', port=6379)
```

**Java** (Jedis):
```java
// Bad: No authentication or TLS
UnifiedJedis jedis = new UnifiedJedis("redis://localhost:6379");
```

**Configuration:**

```
# redis.conf
requirepass your-strong-password
tls-port 6380
tls-cert-file /path/to/redis.crt
tls-key-file /path/to/redis.key
```

Reference: [Redis Security](https://redis.io/docs/latest/operate/oss_and_stack/management/security/)


# Secure Network Access

Restrict network access to Redis to only trusted sources.

**Correct:** Bind to specific interfaces.

```
# redis.conf
bind 127.0.0.1 192.168.1.100
protected-mode yes
```

**Correct:** Use firewall rules.

```bash
# Allow only application servers
iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP
```

**Incorrect:** Exposing Redis to the internet.

```
# Bad: Binds to all interfaces
bind 0.0.0.0
protected-mode no
```

**Security checklist:**
- Use TLS for connections
- Bind to specific interfaces, not `0.0.0.0`
- Use firewall rules to restrict access
- Disable dangerous commands in production

```
# Disable dangerous commands
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command CONFIG ""
```

Reference: [Redis Security](https://redis.io/docs/latest/operate/oss_and_stack/management/security/)


---
name: redis-security
description: Redis security guidance covering authentication (requirepass and ACL users), TLS, ACL-based

What is this skill?

ACL SETUSER patterns for read-only, writer (-@dangerous), and sparse admin roles

Production rule: never run Redis without authentication; TLS called out alongside passwords

redis-py connection examples for password and TLS-aware clients

Documents ACL command categories: @read, @write, @dangerous, @admin

Contrasts per-user ACLs vs a single requirepass on the default user

Adoption & trust: 1 installs on skills.sh; 70 GitHub stars; trending (+100% hot-view momentum).

SKILL.md

READMESKILL.md - Redis Security

{
  "name": "redis-security",
  "version": "1.0.0",
  "description": "Redis security hardening — authentication and TLS, ACL-based least privilege, network bind, firewall, command renaming.",
  "author": {
    "name": "Redis",
    "email": "support@redis.com"
  },
  "homepage": "https://redis.io",
  "repository": "https://github.com/redis/agent-skills",
  "license": "MIT",
  "keywords": ["redis", "security", "acl", "auth", "tls", "hardening"]
}


# Use ACLs for Fine-Grained Access Control

Create users with only the permissions they need (principle of least privilege).

**Correct:** Create specific users with limited permissions.

```
# Read-only user for cache access
ACL SETUSER app_readonly on >password ~cache:* +get +mget +scan

# Writer that can't run dangerous commands
ACL SETUSER app_writer on >password ~* +@all -@dangerous

# Admin user (use sparingly)
ACL SETUSER admin on >strong-password ~* +@all
```

**Incorrect:** Using the default user for everything.

```
# Bad: Single password for all access
requirepass shared-password
```

**ACL categories:**
- `@read` - Read commands
- `@write` - Write commands
- `@dangerous` - Commands like FLUSHALL, DEBUG
- `@admin` - Administrative commands

Reference: [Redis ACL](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/)


# Always Use Authentication in Production

Never run Redis without authentication in production environments.

**Correct:** Use password and TLS.

**Python** (redis-py):
```python
r = redis.Redis(
    host='localhost',
    port=6379,
    password='your-strong-password',
    ssl=True,
    ssl_cert_reqs='required'
)
```

**Java** (Jedis):
```java
import redis.clients.jedis.*;
import javax.net.ssl.*;
import java.security.KeyStore;

// Create SSL context with trust store and key store
KeyStore trustStore = KeyStore.getInstance("jks");
trustStore.load(new FileInputStream("./truststore.jks"), "password".toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);

JedisClientConfig config = DefaultJedisClientConfig.builder()
    .ssl(true)
    .sslSocketFactory(sslContext.getSocketFactory())
    .user("redisUser")
    .password("redisPassword")
    .build();

JedisPooled jedis = new JedisPooled(new HostAndPort("redis-host", 6379), config);
```

**Incorrect:** Connecting without authentication.

**Python** (redis-py):
```python
# Bad: No authentication
r = redis.Redis(host='localhost', port=6379)
```

**Java** (Jedis):
```java
// Bad: No authentication or TLS
UnifiedJedis jedis = new UnifiedJedis("redis://localhost:6379");
```

**Configuration:**

```
# redis.conf
requirepass your-strong-password
tls-port 6380
tls-cert-file /path/to/redis.crt
tls-key-file /path/to/redis.key
```

Reference: [Redis Security](https://redis.io/docs/latest/operate/oss_and_stack/management/security/)


# Secure Network Access

Restrict network access to Redis to only trusted sources.

**Correct:** Bind to specific interfaces.

```
# redis.conf
bind 127.0.0.1 192.168.1.100
protected-mode yes
```

**Correct:** Use firewall rules.

```bash
# Allow only application servers
iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP
```

**Incorrect:** Exposing Redis to the internet.

```
# Bad: Binds to all interfaces
bind 0.0.0.0
protected-mode no
```

**Security checklist:**
- Use TLS for connections
- Bind to specific interfaces, not `0.0.0.0`
- Use firewall rules to restrict access
- Disable dangerous commands in production

```
# Disable dangerous commands
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command CONFIG ""
```

Reference: [Redis Security](https://redis.io/docs/latest/operate/oss_and_stack/management/security/)


---
name: redis-security
description: Redis security guidance covering authentication (requirepass and ACL users), TLS, ACL-based

Install

What is this skill?

Recommended Skills

Journey fit

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

SKILL.md