Security and MongoDB API Interfaces

The following section contains strategies to limit risks related to MongoDB’s available interfaces including JavaScript, HTTP, and REST interfaces.

JavaScript and the Security of the mongo Shell

The following JavaScript evaluation behaviors of the mongo shell represents risk exposures.

JavaScript Expression or JavaScript File

The mongo program can evaluate JavaScript expressions using the command line --eval option. Also, the mongo program can evaluate a JavaScript file (.js) passed directly to it (e.g. mongo someFile.js).

Because the mongo program evaluates the JavaScript directly, inputs should only come from trusted sources.

.mongorc.js File

If a .mongorc.js file exists [1], the mongo shell will evaluate a .mongorc.js file before starting. You can disable this behavior by passing the mongo --norc option.

[1]On Linux and Unix systems, mongo reads the .mongorc.js file from $HOME/.mongorc.js (i.e. ~/.mongorc.js). On Windows, mongo.exe reads the .mongorc.js file from %HOME%.mongorc.js or %HOMEDRIVE%%HOMEPATH%.mongorc.js.

HTTP Status Interface

The HTTP status interface provides a web-based interface that includes a variety of operational data, logs, and status reports regarding the mongod or mongos instance. The HTTP interface is always available on the port numbered 1000 greater than the primary mongod port. By default, the HTTP interface port is 28017, but is indirectly set using the port option which allows you to configure the primary mongod port.

Without the net.http.RESTInterfaceEnabled setting, this interface is entirely read-only, and limited in scope; nevertheless, this interface may represent an exposure. To disable the HTTP interface, set the enabled run time option or the --nohttpinterface command line option. See also Configuration Options.


The REST API to MongoDB provides additional information and write access on top of the HTTP Status interface. While the REST API does not provide any support for insert, update, or remove operations, it does provide administrative access, and its accessibility represents a vulnerability in a secure environment. The REST interface is disabled by default, and is not recommended for production use.

If you must use the REST API, please control and limit access to the REST API. The REST API does not include any support for authentication, even when running with authorization enabled.

See the following documents for instructions on restricting access to the REST API interface: