New MongoDB 3.6 Security Features

Davi Ottenheimer

MongoDB has always made it quick and easy to iterate -- from prototype to production to maturity, keeping pace in modern agile release cycles. Our 3.6 release is a milestone in security, adding two new features to improve the ease and cost of security management, even for the most fast-paced development environments.

Localhost Default

Flexibility has led to widespread adoption of MongoDB by users who appreciate the ease of installation and use. These same users also expect a level of balance between performance and safety that only can be achieved with secure-by-default configurations.

This is why we are happy to now provide our users with a localhost binding set by default. Upon installation MongoDB (3.6 and later) can only be accessed from the local machine on which it has been installed (using Mongo shell, a MongoDB driver, or tools and utilities such as Ops Manager or Compass). When MongoDB is started it has to have networking explicitly enabled and configured.

What happens when you connect your instance to the internet? “If you explicitly turn on [networking], but don’t turn on authentication, we can’t help you at that point. But you have to consciously do that, and we’d hope that people think about it a little” CTO Eliot Horowitz explained to The Next Web.

We see this change as fundamentally raising the bar on safety, eliminating whole classes of threats, while still preserving our popular deployment speed and ease.

IP Whitelisting for Authentication

After enabling whitelisting, a client authenticating against a user account in MongoDB must meet all listed restrictions in any document attached to that user. Clients authenticating against a user account which is a member of a restricted role must meet all listed restrictions in any document attached to that role.

For example here is how a document attached to a database user or role can be set to only allow clients to connect. Beyond that it can be set to only connect to the services listening in Using the following syntax an IP must be matched during authentication to login.

authenticationRestrictions: [{
  clientSource: [“”, “”]
  serverAddress: [“”, “”]

We’re always striving to make safe development easier. That’s why we have taken an approach to facilitate safe choices within a flexible product, in order to serve the many development community decisions for deploying MongoDB.

The security changes in 3.6 remove bottlenecks and obviate workarounds, expanding MongoDB use to an even wider variety of applications, and providing security teams the configurations they demand for mission critical situations. MongoDB 3.6 applies the "safe by default" principle so you can confidently move at the speed of your data. To learn more about everything new in MongoDB 3.6, download the What's New guide.

About the Author - Davi Ottenheimer
Davi leads Product Security at MongoDB.