- Security >
- Security Hardening >
- MongoDB Configuration Hardening
MongoDB Configuration Hardening¶
On this page
HTTP Status Interface¶
Changed in version 3.6: MongoDB 3.6 removes the deprecated HTTP interface and REST API to MongoDB.
REST API¶
Changed in version 3.6: MongoDB 3.6 removes the deprecated HTTP interface and REST API to MongoDB.
IP Binding¶
Starting with MongoDB 3.6, MongoDB binaries, mongod and
mongos, bind to localhost by default.
From MongoDB versions 2.6 to 3.4, only the binaries from the
official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives)
and DEB (Debian, Ubuntu, and derivatives) packages would bind to
localhost by default. To learn more about this change, see
Localhost Binding Compatibility Changes.
Warning
Before binding to a non-localhost (e.g. publicly accessible) IP address, ensure you have secured your cluster from unauthorized access. For a complete list of security recommendations, see Security Checklist. At minimum, consider enabling authentication and hardening network infrastructure.
Warning
Make sure that your mongod and mongos
instances are only accessible on trusted networks. If your system
has more than one network interface, bind MongoDB programs to the
private or internal network interface.
See also