All articles

Fly.io Machines Exposing Internal Redis — One Network Flag Away

Fly.io Machines Exposing Internal Redis — One Network Flag Away

Fly's default networking lets machines in the same org talk to each other — and sometimes lets the public internet talk to them too. Redis on Fly is a common casualty.

June 24, 2026VibeWShield Team1 min read

Fly.io deploys are fast. Fly's networking is opinionated and trips up beginners, usually when the AI scaffolds a fly.toml with broad port exposure.

Common misconfig

[[services]]
  internal_port = 6379
  protocol = "tcp"
 
  [[services.ports]]
    port = 6379

That last block publishes Redis on <app>.fly.dev:6379 to the whole internet. An attacker finds your app, issues AUTH without credentials (default Redis doesn't require auth), and dumps everything.

Detect

# From anywhere in the world:
redis-cli -h your-app.fly.dev -p 6379 PING
# PONG = game over

Fix

  • Move Redis to the Fly private network (.internal domain). Don't add [[services]] for it at all — only the app that needs it can reach it.
  • If you MUST expose it: requirepass on Redis + IP allowlist ([services.ports.tcp] with restricted_ips).

VibeWShield's database_infra scanner tries Redis, Mongo, Postgres, etc. on every scan target. An open Redis is CRITICAL severity — half the breach reports you see on r/cybersecurity start with this pattern.

Free security scan

Test your app for these vulnerabilities

VibeWShield automatically scans for everything covered in this article and more — 18 security checks in under 3 minutes.

Scan your app free