- Security >
- Security Hardening >
- MongoDB Configuration Hardening
MongoDB Configuration Hardening¶
On this page
HTTP Status Interface¶
Changed in version 3.6: MongoDB 3.6 removes the deprecated HTTP interface and REST API to MongoDB.
REST API¶
Changed in version 3.6: MongoDB 3.6 removes the deprecated HTTP interface and REST API to MongoDB.
IP Binding¶
Starting with MongoDB 3.6, MongoDB binaries, mongod
and
mongos
, bind to localhost
by default.
From MongoDB versions 2.6 to 3.4, only the binaries from the
official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives)
and DEB (Debian, Ubuntu, and derivatives) packages would bind to
localhost
by default. To learn more about this change, see
Localhost Binding Compatibility Changes.
Warning
Before binding to a non-localhost (e.g. publicly accessible) IP address, ensure you have secured your cluster from unauthorized access. For a complete list of security recommendations, see Security Checklist. At minimum, consider enabling authentication and hardening network infrastructure.
Warning
Make sure that your mongod
and mongos
instances are only accessible on trusted networks. If your system
has more than one network interface, bind MongoDB programs to the
private or internal network interface.
See also