- Security >
- Security Concepts >
- Security and MongoDB API Interfaces
Security and MongoDB API Interfaces¶
The following section contains strategies to limit risks related to MongoDB’s available interfaces including JavaScript, HTTP, and REST interfaces.
JavaScript and the Security of the mongo
Shell¶
The following JavaScript evaluation behaviors of the mongo
shell represents risk exposures.
JavaScript Expression or JavaScript File¶
The mongo
program can evaluate JavaScript expressions using
the command line --eval
option. Also, the
mongo
program can evaluate a JavaScript file (.js
)
passed directly to it (e.g. mongo someFile.js
).
Because the mongo
program evaluates the JavaScript directly,
inputs should only come from trusted sources.
.mongorc.js
File¶
If a .mongorc.js
file exists [1], the mongo
shell will
evaluate a .mongorc.js
file before starting. You can disable this
behavior by passing the mongo --norc
option.
[1] | On Linux and Unix systems, mongo
reads the .mongorc.js file from $HOME/.mongorc.js
(i.e. ~/.mongorc.js ). On Windows, mongo.exe reads
the .mongorc.js file from %HOME%.mongorc.js or
%HOMEDRIVE%%HOMEPATH%.mongorc.js . |
HTTP Status Interface¶
The HTTP status interface provides a web-based interface that includes
a variety of operational data, logs, and status reports regarding the
mongod
or mongos
instance. The HTTP interface is
always available on the port numbered 1000
greater than the primary
mongod
port. By default, the HTTP interface port is
28017
, but is indirectly set using the port
option which
allows you to configure the primary mongod
port.
Without the net.http.RESTInterfaceEnabled
setting, this interface is entirely
read-only, and limited in scope; nevertheless, this interface may
represent an exposure. To disable the HTTP interface, set the
enabled
run time option or the
--nohttpinterface
command line
option. See also Configuration Options.
REST API¶
The REST API to MongoDB provides additional information and write access on top of the HTTP Status interface. While the REST API does not provide any support for insert, update, or remove operations, it does provide administrative access, and its accessibility represents a vulnerability in a secure environment. The REST interface is disabled by default, and is not recommended for production use.
If you must use the REST API, please control and limit access to the
REST API. The REST API does not include any support for
authentication, even when running with authorization
enabled.
See the following documents for instructions on restricting access to the REST API interface: