Fly.io Machines Exposing Internal Redis — One Network Flag Away

Fly's default networking lets machines in the same org talk to each other — and sometimes lets the public internet talk to them too. Redis on Fly is a common casualty.
Fly.io deploys are fast. Fly's networking is opinionated and trips up beginners, usually when the AI scaffolds a fly.toml with broad port exposure.
Common misconfig
[[services]]
internal_port = 6379
protocol = "tcp"
[[services.ports]]
port = 6379That last block publishes Redis on <app>.fly.dev:6379 to the whole internet. An attacker finds your app, issues AUTH without credentials (default Redis doesn't require auth), and dumps everything.
Detect
# From anywhere in the world:
redis-cli -h your-app.fly.dev -p 6379 PING
# PONG = game overFix
- Move Redis to the Fly private network (
.internaldomain). Don't add[[services]]for it at all — only the app that needs it can reach it. - If you MUST expose it:
requirepasson Redis + IP allowlist ([services.ports.tcp]withrestricted_ips).
VibeWShield's database_infra scanner tries Redis, Mongo, Postgres, etc. on every scan target. An open Redis is CRITICAL severity — half the breach reports you see on r/cybersecurity start with this pattern.
Free security scan
Test your app for these vulnerabilities
VibeWShield automatically scans for everything covered in this article and more — 18 security checks in under 3 minutes.
Scan your app free