Upstash

Upstash Security Best Practices

Secure your Upstash databases with these essential practices. From token management to encryption.

Verify your app follows these best practices automatically.

Upstash provides serverless Redis and Kafka with per-request pricing. These practices help you secure your serverless data stores properly.

Quick Wins

Move tokens to environment variables

Verify TLS is enabled for connections

Use separate databases per environment

Set up usage alerts

Implement rate limiting on public APIs

Security Best Practices

#1Use REST API Tokens Appropriately

critical

Upstash provides REST tokens for serverless access. Understand the security implications.

Implementation

Use read-only tokens where possible, never expose tokens in client-side code

#2Store Tokens in Environment Variables

critical

Never hardcode Upstash tokens. Use environment variables for all deployments.

Implementation

Set UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN as env vars

#3Enable TLS Encryption

high

Ensure all connections to Upstash use TLS encryption.

Implementation

Use TLS endpoint URLs, verify SSL in connection strings

#4Use Separate Databases per Environment

high

Don't share Redis databases between production and development.

Implementation

Create separate Upstash databases for dev/staging/prod

#5Implement Rate Limiting

high

Use Upstash rate limiting to protect your APIs from abuse.

Implementation

Use @upstash/ratelimit library for API endpoint protection

#6Monitor Usage and Costs

medium

Set up alerts for unusual usage patterns that might indicate abuse.

Implementation

Configure usage alerts in Upstash dashboard

Common Mistakes to Avoid

Tokens in client-side code

Why it's dangerous:

Anyone can see and use your tokens

How to fix:

Only use Upstash tokens server-side, use API routes

Shared database across environments

Why it's dangerous:

Development can affect production data

How to fix:

Create separate databases for each environment

No rate limiting on public APIs

Why it's dangerous:

APIs can be abused, increasing costs

How to fix:

Use @upstash/ratelimit to protect endpoints

Verify Your Upstash App Security

Following best practices is the first step. Verify your app is actually secure with a comprehensive security scan.

Get Starter Scan

Frequently Asked Questions

Is Upstash secure?

Yes, Upstash encrypts data at rest and in transit. Security depends on proper token management - never expose tokens client-side and use separate databases per environment.

Can I use Upstash tokens in browser code?

No, never expose Upstash tokens in client-side code. Use server-side API routes to access Upstash, then expose only the data you need to the client.

How do I protect my APIs with Upstash?

Use @upstash/ratelimit to implement rate limiting on your API routes. This prevents abuse and controls costs by limiting requests per user/IP.

Related Upstash Security Resources

Upstash Security Overview Upstash Security Issues Upstash Security Risks Is Upstash Safe?

Similar Platforms

Vercel Best Practices Netlify Best Practices Supabase Best Practices

Last updated: January 2026