Security is always a multi-layered approach, and these few recommendations do not form an exhaustive list; they are just the bare basics that need to be done in any MongoDB database:

• The HTTP status interface should be disabled.
• The RESTful API should be disabled.
• The JSON API should be disabled.
• Connect to MongoDB using SSL.
• Audit the system activity.
• Use a dedicated system user to access MongoDB with appropriate system-level access.
• Disable server-side scripting if it is not needed. This will affect MapReduce, built-in db.group() commands, and $where operations. If these are not used in your codebase, it is better to disable server-side scripting at startup by using the --noscripting parameter.