Security is always a multi-layered approach and these few recommendations do not form an exhaustive list, rather just the bare basics that need to be done in any MongoDB database:
- HTTP status interface should be disabled.
- REST API should be disabled.
- JSON API should be disabled.
- Connect to MongoDB using SSL.
- Audit system activity.
- Use a dedicated system user to access MongoDB with appropriate system level access
- Disable server-side scripting if not needed. This will affect MapReduce, built-in db.group() commands, and $where operations. If these are not used in your codebase, it is better to disable server-side scripting at startup using the --noscripting parameter.