Upstash
Security Guide

How to Secure Your Upstash App

Last updated: April 20, 2026

Upstash provides serverless Redis and Kafka. This guide covers securing your Upstash-powered applications.

Get Starter ScanUpstash Security Overview

Why Security Matters for Upstash

Key Security Concerns

REST tokens in client JavaScript can be extracted - use read-only only
Write tokens client-side = anyone can modify your data
Rate limits prevent DoS but may block legitimate traffic if misconfigured
QStash (message queue) webhooks need signature verification
No data expiry by default - sensitive data persists until explicitly deleted

Security Strengths

REST over HTTPS - works everywhere including edge functions and browsers
Read-only tokens: safe to expose in client code for read operations
Per-database tokens with rate limiting built-in
Global edge replication with encryption in transit
SOC 2 Type II certified

Step-by-Step Security Guide

1. Protect REST Tokens

Store Upstash REST tokens in environment variables. They provide full database access.

# Environment variables
UPSTASH_REDIS_REST_URL=...
UPSTASH_REDIS_REST_TOKEN=...

2. Use Read-Only Tokens

For read-only operations, create and use read-only tokens to limit exposure risk.

3. Implement Rate Limiting

Use Upstash's @upstash/ratelimit to protect your APIs from abuse.

import { Ratelimit } from '@upstash/ratelimit';
const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(10, '10 s'),
});

4. Secure Edge Deployments

Upstash REST API works at the edge. Ensure tokens aren't exposed in client-side code.

5. Don't Store Sensitive Data Unencrypted

Encrypt sensitive data before storing in Redis. Use application-level encryption.

6. Monitor Access Patterns

Use Upstash console to monitor for unusual access patterns that might indicate compromise.

Common Security Mistakes

Avoid these common Upstash security pitfalls:

REST tokens in client-side code
Full-access tokens for read-only operations
Storing sensitive data without encryption
No rate limiting on public endpoints
Ignoring access pattern anomalies

Recommended Security Tools

Use these tools to maintain security throughout development:

VAS Security Scanner
npm audit / yarn audit
Git-secrets
Snyk

Ready to Secure Your App?

Security is an ongoing process, not a one-time checklist. After implementing these steps, use VAS to verify your Upstash app is secure before launch, and consider regular scans as you add new features.

Start Security Scan

Frequently Asked Questions

Can I use Upstash from the browser?

Technically yes with REST API, but don't expose tokens client-side. Use server-side routes or edge functions as a proxy to keep tokens secure.

How do I secure sensitive data in Upstash Redis?

Encrypt sensitive data at the application level before storing. Upstash encrypts at rest, but application-level encryption adds defense in depth.

Explore Related Resources

More on Upstash Security

Every angle of Upstash security — from the specific findings we detect to step-by-step fixes.

Upstash Security Scanner

Hub page: scan your Upstash app for vulnerabilities.

Upstash Security Risks

Specific risks we find in Upstash apps, with real-world examples.

Upstash Security Issues

Issues grouped by severity with detection and fix steps.

Upstash Best Practices

Remediation playbook derived from Upstash's actual failure modes.

Is Upstash Safe?

Honest assessment of Upstash's production readiness.

Upstash Security Checklist

Pre-launch checklist covering every finding class for Upstash.

Related Security Resources

Upstash SecurityIs Upstash Safe?Upstash Security Checklist

Similar Platforms

How to Secure VercelHow to Secure NetlifyHow to Secure Supabase