How to Disable MongoDB HTTP Status Interface and REST API

Learn how to disable the HTTP Status Interface and REST API to prevent potential data exposure and vulnerability to attackers

Disclaimer: this how-to guide only applies to self-managed MongoDB servers. All “MongoDB as a Service” providers already disable the HTTP Status Interface and REST API preemptively.

Versions of MongoDB prior to 3.2 used to provide a simple HTTP interface and REST API listing information of interest for debugging purposes. These interfaces MUST never been enabled in production environments, as said in the official docs:

The HTTP Status Interface must be disabled in production environments to prevent potential data exposure and vulnerability to attackers.

Disabling MongoDB HTTP Status Interface and REST API

Open /etc/mongod.conf with your favorite code editor and search for the following lines:

net:
  http:
    enabled: true
    RESTInterfaceEnabled: true

If you can’t find mongod.conf or it is named mongodb.conf instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.)

Now make sure that both enabled and RESTInterfaceEnabled are set to false , save and reload mongod:

$ sudo service mongod restart
[ ok ] Restarting database: mongod.

Done!