How to Disable Server-Side Javascript on MongoDB

Learn how to protect yourMongoDB server from NoSQL injection attacks by disabling server-side Javascript features

All of the following MongoDB operations permit you to run arbitrary JavaScript expressions directly on the server:

• $where
• mapReduce
• group

These methods can be really convenient, but they pose a huge security risk to your database integrity if your application does not sanitize and escape user-provided values properly, as proven by many reports of NoSQL injection attacks.

Indeed, you can express most queries in MongoDB without JavaScript, so the most sensible option is to completely disable sever-side Javascript.

Disabling server-side Javascript on MongoDB

Open /etc/mongod.conf with your favorite code editor and look for the security section:

security:
    authorization: "enabled"

If you can’t find mongod.conf or it is named mongodb.conf instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.)

Make sure to add the following line inside the security section:

    javascriptEnabled: false

Now save the file and restart mongod :

$ sudo service mongodb restart

Done! Your deployment is now resistant to NoSQL injections!