MongoDB HTTP status interface
Description
MongoDB instances expose an HTTP status interface that provides operational data, logs, and status information about the mongod or mongos process. This web-based interface runs on a port 1000 numbers higher than the primary MongoDB port (default: 28017). While read-only by default without the REST setting enabled, this interface can expose sensitive information about database operations, configuration details, and system performance metrics to unauthorized users. The interface is enabled by default in older MongoDB versions, creating an unnecessary attack surface.
Remediation
Disable the MongoDB HTTP status interface immediately by applying one of the following configuration methods:
1. Add the following setting to your MongoDB configuration file (mongod.conf):
net:
http:
enabled: false
RESTInterfaceEnabled: falseOr for older MongoDB versions:nohttpinterface = true
2. Start MongoDB with the command-line option:
mongod --nohttpinterface
3. Verify the interface is disabled by attempting to access http://[mongodb-host]:28017 (or your configured port + 1000) - the connection should fail.
Additionally, ensure your MongoDB instance is not directly exposed to the internet and implement network-level access controls (firewall rules, security groups) to restrict access to trusted IP addresses only. For MongoDB versions 3.6 and later, the HTTP interface is deprecated and should not be used.