[schtono]

Memcache, for example, is explicitly not meant to be run with "public access", as it is not secured against attacks. I am pretty sure the same applies to redis.

If my assumption is correct, i wonder why one should use a (potentially slower) http client or protocol in favor of the "native" protocol.

[antirez]

Hello, good point, but I think the idea of the author (accordingly to what I read in the Redis maling list) is to provide some kind of access control list.

I think the most interesting practical application of a Redis HTTP interface is accessing your Redis database directly from Javascript.

One of such simple ACL is to deny all the commands but the few you use, and use unguessable key names. This is good for a low level of security. There are of course much better ways... but I'm curious about how this could evolve.

[thamer]

(I'm the author of Webdis)

As antirez pointed out, there are indeed ACLs in Webdis. You can enable or disable commands using a CIDR match and/or HTTP Basic Auth. (ex: disable all write commands for everyone, but enable SET for authenticated clients on the local network).

[eloop]

Another use is for obtaining an async redis connection using async http frameworks that may not include a redis client, e.g. tornado. I'm doing something like this at the moment using tornado's async http client talking to a nodejs http server that is basically proxy'ing some simple redis commands.