How to Disable MongoDB HTTP Status Interface and REST API
Learn how to disable the HTTP Status Interface and REST API to prevent potential data exposure and vulnerability to attackers
Disclaimer: this how-to guide only applies to self-managed MongoDB servers. All “MongoDB as a Service” providers already disable the HTTP Status Interface and REST API preemptively.
Versions of MongoDB prior to 3.2 used to provide a simple HTTP interface and REST API listing information of interest for debugging purposes. These interfaces MUST never been enabled in production environments, as said in the official docs:
The HTTP Status Interface must be disabled in production environments to prevent potential data exposure and vulnerability to attackers.
Disabling MongoDB HTTP Status Interface and REST API
Open /etc/mongod.conf
with your favorite code editor and search for the following lines:
net:
http:
enabled: true
RESTInterfaceEnabled: true
If you can’t find
mongod.conf
or it is namedmongodb.conf
instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.)
Now make sure that both enabled
and RESTInterfaceEnabled
are set to false
, save and reload mongod:
$ sudo service mongod restart
[ ok ] Restarting database: mongod.
Done!