Security is always a multi-layered approach and these few recommendations do not form an exhaustive list, rather just the bare basics that need to be done in any MongoDB database:

• HTTP status interface should be disabled.
• REST API should be disabled.
• JSON API should be disabled.
• Connect to MongoDB using SSL.
• Audit system activity.
• Use a dedicated system user to access MongoDB with appropriate system level access
• Disable server-side scripting if not needed. This will affect MapReduce, built-in db.group() commands, and $where operations. If these are not used in your codebase, it is better to disable server-side scripting at startup using the --noscripting parameter.