Access to memcached is not protected by a username and password, neither is the data within it. So while access control does not exist natively for memcached, simple things can be done to harden your instance of memcached to make it secure:
- Prevent external access – Deploy memcached behind your firewall and only allow machines from within a specific network to access to the cache.
- Encrypt the data you store in the cache â€“ I personally feel like this is overkill because for most applications it adds an extra hoop to jump through every single time you visit the cache. But for the hyper-paranoid that work in shared environments, I suppose this is something worth considering.
- Choose obscure keys â€“ there is no way for a user to query memcached for a list of keys, therefore the only way for someone to retrieve information stored there is if they know the key for the corresponding information. Therefore, if your keys have predictable names then it would be relatively easy for someone to guess them. So make your keys somewhat obscure. Consider creating a simple key like â€œobject:10032â€ and then generate a sha1 hash of it. This will create a very obscure key name while using a very standard, easy to remember key naming scheme of your choosing.
So is memcached secure? Well, while it does not have built in security features, it can easily be made secure.