- Security >
- Security Hardening >
- MongoDB Configuration Hardening
MongoDB Configuration Hardening¶
On this page
HTTP Status Interface¶
Warning
Ensure that the HTTP status interface, the REST API, and the JSON API are all disabled in production environments to prevent potential data exposure and vulnerability to attackers.
Deprecated since version 3.2: HTTP interface for MongoDB
Changed in version 2.6: The mongod and mongos instances run with the HTTP interface
disabled by default. See net.http.enabled setting.
The HTTP status interface provides a web-based interface that includes a variety of
operational data, logs, and status reports regarding the mongod or
mongos instance. The HTTP status interface is disabled by default and is not
recommended for production use.
The net.http.enabled setting enables HTTP status interface. When enabled
without the net.http.RESTInterfaceEnabled setting, the HTTP interface is
entirely read-only and limited in scope.
The HTTP interface uses the port that is 1000 greater than the primary
mongod port. By default, the HTTP interface port is 28017, but is
indirectly set using the net.port option which allows you to configure the
primary mongod port.
The HTTP status interface does not include support for authentication
other than MONGODB-CR.
While MongoDB Enterprise does support Kerberos authentication, Kerberos is not supported in HTTP status interface in any version of MongoDB.
Changed in version 3.0: Neither the HTTP status interface nor the REST API support the SCRAM-SHA-1 challenge-response user authentication mechanism introduced in version 3.0.
Warning
If you enable the interface, you should only allow trusted clients to access this port. See Firewalls.
REST API¶
Warning
Ensure that the HTTP status interface, the REST API, and the JSON API are all disabled in production environments to prevent potential data exposure and vulnerability to attackers.
The REST API to MongoDB provides additional information and write access on top of the HTTP status interface. While the REST API does not provide any support for insert, update, or remove operations, it does provide administrative access, and its accessibility represents a vulnerability in a secure environment.
Deprecated since version 3.2: HTTP interface for MongoDB
The REST interface is disabled by default and is not recommended for production use.
The net.http.RESTInterfaceEnabled setting for mongod enables a
fully interactive administrative REST interface, which is disabled by default.
Enabling the REST API enables the HTTP interface, even if the HTTP interface option is
disabled, and makes the HTTP interface fully interactive.
The REST API does not include support for authentication
other than MONGODB-CR.
Warning
If you enable the interface, you should only allow trusted clients to access this port. See Firewalls.
Changed in version 3.0: Neither the HTTP status interface nor the REST API support the SCRAM-SHA-1 challenge-response user authentication mechanism introduced in version 3.0.
bind_ip¶
The net.bindIp setting (or the --bind_ip command line option) for
mongod and mongos instances limits the network interfaces on which
MongoDB programs will listen for incoming connections.
Warning
Make sure that your mongod and mongos
instances are only accessible on trusted networks. If your system
has more than one network interface, bind MongoDB programs to the
private or internal network interface.
See also