Summing up on best practice recommendations around security we have:

• Enforce authentication: Always enable authentication in production environments.
• Enable access control: First create a system administrator, and then use this administrator to create more limited users. Give as few permissions as are needed for each user role.
• Define fine grained roles in access control, not giving more permissions than needed for each user.
• Encrypt communication between clients and servers: Always use TLS/SSL for communication between clients and servers in production environments. Always use TLS/SSL for communication between mongod and mongos or config servers as well.
• Encrypt data at rest: MongoDB Enterprise Edition offers the functionality to encrypt data when stored, using WiredTiger encryption at rest.

• Limit network exposure: MongoDB servers should only be connected to the application servers and any other servers that are needed for operations. Ports other than the ones that we set up for MongoDB communications should not be open to the outside world.

If we want to debug MongoDB usage it's important to have a proxy server with controlled access set up to communicate with our database.

• Audit servers for unusual activity: MongoDB Enterprise Edition offers a utility for auditing. Using it we can output events to the console, a JSON file, a BSON file, or the syslog. In any case, it's important to make sure that audit events are stored in a partition that is not available to the system's users.

• Use a dedicated operating system user to run MongoDB. Make sure that the dedicated operating system user can access MongoDB but doesn't have unnecessary permissions.

• Disable JavaScript server-side scripts if not needed.

MongoDB can use JavaScript for server-side scripts with the following commands:  mapReduce(), group(), $where. If we don't need these commands we should disable server-side scripting using the --noscripting option on the command line.