TL;DR
Render provides automatic SSL, managed databases, and isolated services. Focus on environment variable security (use secret files for multi-line secrets), configure private services for internal APIs, and use Render's static outbound IPs for database allowlists. Preview environments share environment variables by default, so be careful with production secrets.
What Render Handles for You
Render's managed platform includes security features by default:
- Automatic SSL: Free TLS certificates for all services
- Isolated services: Each service runs in its own container
- Private networking: Services can communicate internally
- Managed databases: PostgreSQL and Redis with backups
- DDoS protection: Built-in protection at the edge
Environment Variables on Render
Setting Environment Variables
You can set environment variables per-service or in environment groups (shared across services):
// Node.js
const databaseUrl = process.env.DATABASE_URL;
const apiKey = process.env.API_KEY;
// Python
import os
database_url = os.environ.get('DATABASE_URL')
api_key = os.environ.get('API_KEY')
Secret Files
For multi-line secrets (like private keys), use Render's secret files feature:
# In Render dashboard, create a secret file
# Path: /etc/secrets/private-key.pem
# Contents: Your private key
# Access in code
const fs = require('fs');
const privateKey = fs.readFileSync('/etc/secrets/private-key.pem', 'utf8');
Never commit secrets: Even though Render stores secrets securely, never put them in your repository. Use Render's dashboard or environment groups.
Database Security
Render Managed Databases
Render PostgreSQL databases are secure by default:
- Encrypted at rest and in transit
- Not publicly accessible by default (internal URL only)
- Automatic daily backups
- Can enable external access with specific IPs
Internal vs External Database URLs
# Internal URL (services in same Render region)
DATABASE_URL=postgres://user:pass@dpg-xxx.oregon-postgres.render.com/db
# External URL (for local development, external services)
DATABASE_EXTERNAL_URL=postgres://user:pass@dpg-xxx.oregon-postgres.render.com:5432/db
Best practice: Use internal URLs for Render services (faster and more secure). Only enable external access when needed, and restrict it to specific IP addresses.
Private Services
Render allows creating private services that aren't publicly accessible:
# Private service URL (internal only)
INTERNAL_API=http://internal-api:10000
# From another Render service
const response = await fetch('http://internal-api:10000/process', {
method: 'POST',
headers: {
'X-Internal-Token': process.env.INTERNAL_TOKEN, // Optional auth
'Content-Type': 'application/json'
},
body: JSON.stringify(data)
});
When to Use Private Services
- Background workers that process jobs
- Internal APIs not meant for public access
- Microservices that only other services call
Static Outbound IPs
Render provides static outbound IP addresses, useful for database allowlists:
# In Render dashboard, enable "Static Outbound IP Address"
# You'll get dedicated IPs for your service
# Use these IPs in your external database allowlist:
# - MongoDB Atlas Network Access
# - AWS RDS Security Groups
# - Other firewall configurations
Preview Environments
Render creates preview environments for pull requests:
Preview environments use the same environment variables as your main service by default. Consider using different databases or API keys for previews.
Securing Preview Environments
- Use separate database instances for previews
- Consider using test API keys instead of production
- Review that preview URLs aren't indexed by search engines
Render Security Checklist
Before Going to Production
All secrets in environment variables (not code)
Database uses internal URL where possible
External database access restricted to specific IPs
Internal services are set to private
API endpoints have authentication
Preview environments don't use production data
Health check endpoints configured
Logs don't contain sensitive data
Are my environment variables secure on Render?
Yes, Render encrypts environment variables at rest. They're only available to your service at runtime and aren't visible in logs. Team members with access to your Render dashboard can view them.
Can I restrict who deploys to my service?
Yes, Render has team permissions. You can control who can view, deploy, and modify services. Use these to limit production access to specific team members.
How do I connect to external databases securely?
Enable static outbound IPs on your Render service, then add those IPs to your external database's allowlist. This ensures only your Render services can connect.
Are Render databases backed up?
Yes, Render PostgreSQL databases have automatic daily backups with point-in-time recovery. You can also create manual backups before major changes.