Summing up the best practice recommendations involving security, we have the following:

• Enforce authentication: Always enable authentication in production environments.
• Enable access control: First, create a system administrator, and then use that administrator to create more limited users. Give as few permissions as are needed for each user role.
• Define fine-grained roles in access control: Do not give more permissions than are needed for each user.
• Encrypt communication between clients and servers: Always use TLS/SSL for communication between clients and servers in production environments. Always use TLS/SSL for communication between mongod and mongos or config servers, as well.
• Encrypt data at rest: MongoDB Enterprise Edition offers the functionality to encrypt data when stored, using WiredTiger encryption at rest.

• Limit network exposure: MongoDB servers should only be connected to the application servers and any other servers that are needed for operations. Ports other than the ones that we set up for MongoDB communications should not be open to the outside world. If we want to debug MongoDB usage, it's important to have a proxy server with controlled access set up to communicate with our database.
• Audit servers for unusual activity: MongoDB Enterprise Edition offers a utility for auditing. By using it, we can output events to the console, a JSON file, a BSON file, or the syslog. In any case, it's important to make sure that audit events are stored in a partition that is not available to the system's users.
• Use a dedicated operating system user to run MongoDB. Make sure that the dedicated operating system user can access MongoDB, but doesn't have unnecessary permissions.
• Disable JavaScript server-side scripts if they are not needed.

MongoDB can use JavaScript for server-side scripts with the following commands: mapReduce(), group(), and $where. If we don't need these commands, we should disable server-side scripting by using the --noscripting option on the command line.