Yep, however people don't configure things properly so many years ago I introduced a middle ground between not listening to * (which makes things harder for users in actual deployment systems) and leaving the server exposed, that is: protected mode. If Redis has the default configuration to bind all the addresses and no auth is configured, it refuses commands and informs you how to configure it properly. This avoided many security problems, and avoid also the feeling I always had as a user of other systems defaulting to binding to only local interfaces, where you need to understand what to do in order to make it reachable from other computers.