MongoDB User Credentials and Security Best Practices
Learn how to reduce attack surface and mitigate possible security breaches being sensible at the time of creating user credentials and assigning them roles and permissions
Published in
1 min readFeb 7, 2017
When creating new users and assigning them roles:
- Never share a single user across several applications, even though they only make queries to the same one database.
- Remind this. We can’t help but emphasize the previous point: one application, one user.
- In the same manner, one user should only be granted roles and permissions over a single database.
- Always grant the most restrictive role. If your app only reads from two collections, grant it a readOnly permission solely over those collections and not over the whole database.
- Never grant apps the dbAdmin or dbOwner roles. Why in the hell would your app need to create and delete collections or database-wide users?
In the event that some day your app gets somehow compromised or hacked — which is something no one can prevent to the 100% — the damage will be minimal as long as you followed the above guidelines to the letter.
TL;DR: Be cautious when creating users and assigning roles and permissions to them. It will save your bacon!
