Fix This Page
Navigation

MongoDB Configuration Hardening

HTTP Status Interface

Warning

Ensure that the HTTP status interface, the REST API, and the JSON API are all disabled in production environments to prevent potential data exposure and vulnerability to attackers.

Deprecated since version 3.2: HTTP interface for MongoDB

Changed in version 2.6: The mongod and mongos instances run with the HTTP interface disabled by default. See net.http.enabled setting.

The HTTP status interface provides a web-based interface that includes a variety of operational data, logs, and status reports regarding the mongod or mongos instance. The HTTP status interface is disabled by default and is not recommended for production use.

The net.http.enabled setting enables HTTP status interface. When enabled without the net.http.RESTInterfaceEnabled setting, the HTTP interface is entirely read-only and limited in scope.

The HTTP interface uses the port that is 1000 greater than the primary mongod port. By default, the HTTP interface port is 28017, but is indirectly set using the net.port option which allows you to configure the primary mongod port.

The HTTP status interface does not include support for authentication other than MONGODB-CR.

While MongoDB Enterprise does support Kerberos authentication, Kerberos is not supported in HTTP status interface in any version of MongoDB.

Changed in version 3.0: Neither the HTTP status interface nor the REST API support the SCRAM-SHA-1 challenge-response user authentication mechanism introduced in version 3.0.

Warning

If you enable the interface, you should only allow trusted clients to access this port. See Firewalls.

REST API

Warning

Ensure that the HTTP status interface, the REST API, and the JSON API are all disabled in production environments to prevent potential data exposure and vulnerability to attackers.

The REST API to MongoDB provides additional information and write access on top of the HTTP status interface. While the REST API does not provide any support for insert, update, or remove operations, it does provide administrative access, and its accessibility represents a vulnerability in a secure environment.

Deprecated since version 3.2: HTTP interface for MongoDB

The REST interface is disabled by default and is not recommended for production use.

The net.http.RESTInterfaceEnabled setting for mongod enables a fully interactive administrative REST interface, which is disabled by default. Enabling the REST API enables the HTTP interface, even if the HTTP interface option is disabled, and makes the HTTP interface fully interactive.

The REST API does not include support for authentication other than MONGODB-CR.

Warning

If you enable the interface, you should only allow trusted clients to access this port. See Firewalls.

Changed in version 3.0: Neither the HTTP status interface nor the REST API support the SCRAM-SHA-1 challenge-response user authentication mechanism introduced in version 3.0.

bind_ip

The net.bindIp setting (or the --bind_ip command line option) for mongod and mongos instances limits the network interfaces on which MongoDB programs will listen for incoming connections.

Warning

Make sure that your mongod and mongos instances are only accessible on trusted networks. If your system has more than one network interface, bind MongoDB programs to the private or internal network interface.