Security Guidelines

Shared Memory Security

With the shared memory (SHM) backend, data is stored in nginx's in-process shared memory.

Recommendations:

Do not use it to store sensitive data (passwords, tokens, etc.)
It is suitable for storing temporary, non-sensitive data (session state, cache, etc.)

When using the Redis backend, data is transmitted over the network.

Note: This module does not natively support Redis AUTH (password authentication) or TLS (encrypted communication).

Recommendations:

Implement network isolation
- Bind to localhost only with bind 127.0.0.1
- Restrict access to the internal network
Enable protected-mode yes (default since Redis 3.2)
If communication over the network is required, use a TLS proxy between this module and Redis
- Tunneling via stunnel
- TLS proxy feature in Redis 6 and later
If Redis AUTH (requirepass) is enabled, a proxy that handles authentication is also required, as this module does not send AUTH commands

Improper key design can lead to security risks.

Patterns to avoid:

Recommended patterns:

Use composite keys (e.g., combine multiple variables like $request_method:$uri)
Add namespaces to zone names to prevent conflicts between HTTP and Stream
- Example: http_session_zone, stream_rate_zone
Be aware of key length limits (the shared memory slab allocator has constraints)

Without TTL (Time-To-Live) settings, data accumulates indefinitely.

For shared memory:

Zones without TTL settings will grow until memory is exhausted
When memory is exhausted, adding new entries will fail
TTL uses lazy expiry: expired entries are only reclaimed when accessed again, so write-once workloads may still exhaust the zone even with TTL enabled

For Redis:

Recommendations: