Search by Algolia

Sorry, there is no results for this query

The Meltdown and Spectre impact on Algolia infrastructure

On January 3rd, several vulnerabilities against modern CPU microarchitectures made news headlines. Those vulnerabilities expose a risk of an information leak. A software could potentially exploit the vulnerabilities to get access to the data of another software stored in memory. This is a major security incident.

In total, two attack vectors have been disclosed to the public:

  • Spectre: two vulnerabilities available in nearly all processors on the market. Those two vulnerabilities are known as “bounds check bypass” (CVE-2017-5753)  and “branch target injection” (CVE-2017-5715)
  • Meltdown: one vulnerability affecting mainly Intel CPUs, known as “rogue data cache load” (CVE-2017-5754)

Impact for Algolia

Our infrastructure is a mix of bare-metal and cloud infrastructure. We have three parts in our infrastructure that are impacted by these security vulnerabilities.

Our API servers

Those servers are hosting our users’ data and power the indexing/search API. They are distributed worldwide in more than 50 data centers with a similar hardware configuration using Intel CPUs (mainly Intel E5-1650v4). The servers are configured and tuned for performance. We have no virtualization layer and only run our own software while applying security best practices.

The CPUs we are using are vulnerable, but the impact is mitigated because we do not expose any way to run custom code on our machines. The only way to exploit those vulnerabilities would be to get access to the machine that already gives access to privileged information. Our security efforts remain oriented to making this impossible, and we are working on integrating the KPTI kernel patch and reducing/testing the performance impact it introduces.

Our website and dashboard

We are using AWS to run our website and dashboard, and this is the place where we have our database listing users. We, of course, consider it a critical part of our infrastructure.

We followed closely the AWS actions to protect all instances and they completed their patch deployment to protect them.

However, we decided to move all our website and dashboard virtual machines to dedicated instances to make sure we do not share our hardware with any other AWS customers. This action was not required to be protected but our general security posture is one of extreme caution.


Our analytics stack is computing statistics on your search usage, analyzing query trends.

We are in the process of migrating our analytics stack to Google Compute Platform and we already have several customers running on this stack (our current stack is on bare-metal machines, so the status is similar to our API servers).

Like AWS, Google was working on the fix for a long time and their infrastructure is already protected against those vulnerabilities. Our stack also relies on several systems, including Pub/Sub and DataFlow which are protected against the vulnerabilities.

Security at Algolia

Our security team is constantly monitoring services running on our own machines, as well as those hosted on cloud platforms to ensure that we’re protected against the latest security vulnerabilities. If you have any questions about our process or want to share any information feel free to reach out to the team directly at

About the author
Julien Lemoine

Co-founder & former CTO at Algolia


Start building for free

Create a full-featured search experience in no time.

Get started
Start building for free

Recommended Articles

Powered byAlgolia Algolia Recommend

Salt Incident: May 3rd 2020 Retrospective and Update

Julien Lemoine

Co-founder & CTO at Algolia

Redesigning our Docs – Part 7 – What's next to come

Marie-Laure Thuret

Technical Product Manager

A Time of Transformation, A Look Ahead

Nicolas Dessaigne

Co-founder & board member at Algolia