No matter how much effort you put into hardening the security of your MongoDB installation, new vulnerabilities will inevitably emerge over time. Run Mongo with security Settings from the outset, and it is equally important to perform frequent checks and diagnostics to determine the security state of the system.

For example, you should regularly check for new updates to MongoDB to make sure the version you’re using doesn’t have any unpatched bugs. The version number of Mongo takes the form X.Y.Z, where X refers to a version number, Y refers to a release or development series number, and Z refers to a revision or patch number. MongoDB releases a new version roughly every year, and as of this writing, the latest version is 4.4, but they also release new revisions and patches as needed.

While MongoDB generally recommends that you use the latest version of the service to optimize security, be aware that newer versions in the family (meaning from version 4.4 to version 4.6) can break backward compatibility. That said, MongoDB recommends that you always upgrade to the latest stable release of the distribution series (meaning, if you have 4.4.4 installed, you should upgrade to 4.4.5 when it becomes available), since these are usually backward compatible patches designed to fix bugs.

People should also consider how they plan to interact with their MongoDB database and whether this will change over time. MongoDB provides several commands and methods that allow you to execute server-side JavaScript functions by default. As an example, you can use the $WHERE operator to evaluate a JavaScript expression in order to query documents. This gives you more flexibility because it allows you to express queries that do not have equivalent standard operators. However, by allowing server-side Javascript execution, you also expose your database to potentially malicious expressions. Therefore, MongoDB recommends that if you do not intend to use server-side scripting, you should disable it.

Similarly, MongoDB validates all user input by default to ensure that customers cannot insert malformed Bsons into the database. This type of input validation is not necessary for every use, but MongoDB recommends maintaining input validation to prevent your database from storing any invalid BSON documents.

The related resources

  • Recommended security measures to protect your server