[{"data":1,"prerenderedAt":435},["ShallowReactive",2],{"blog-guides/mongodb":3},{"id":4,"title":5,"body":6,"category":414,"date":415,"dateModified":416,"description":417,"draft":418,"extension":419,"faq":420,"featured":418,"headerVariant":421,"image":420,"keywords":420,"meta":422,"navigation":423,"ogDescription":424,"ogTitle":420,"path":425,"readTime":426,"schemaOrg":427,"schemaType":428,"seo":429,"sitemap":430,"stem":431,"tags":432,"twitterCard":433,"__hash__":434},"blog/blog/guides/mongodb.md","MongoDB Security Guide: Atlas Configuration and Best Practices",{"type":7,"value":8,"toc":389},"minimark",[9,16,21,24,53,57,60,65,74,78,130,139,143,147,150,165,169,186,190,199,208,217,221,225,228,237,246,250,259,263,267,270,274,281,285,288,297,301,306,309,312,315,318,321,324,327,330,358,377],[10,11,12],"tldr",{},[13,14,15],"p",{},"MongoDB Atlas requires proper network access configuration and authentication. Never allow access from 0.0.0.0/0 in production. Create database users with minimal permissions, store connection strings in environment variables, and use VPC peering or private endpoints for production workloads. Atlas encrypts data at rest and in transit by default.",[17,18,20],"h2",{"id":19},"mongodb-atlas-security-model","MongoDB Atlas Security Model",[13,22,23],{},"MongoDB Atlas is a managed database service. Security is handled at multiple levels:",[25,26,27,35,41,47],"ul",{},[28,29,30,34],"li",{},[31,32,33],"strong",{},"Network access:"," IP allowlist controls who can connect",[28,36,37,40],{},[31,38,39],{},"Authentication:"," Database users with usernames/passwords",[28,42,43,46],{},[31,44,45],{},"Authorization:"," Roles define what users can do",[28,48,49,52],{},[31,50,51],{},"Encryption:"," Data encrypted at rest and in transit",[17,54,56],{"id":55},"network-access-configuration","Network Access Configuration",[13,58,59],{},"The most common security mistake is overly permissive network access.",[61,62,64],"h3",{"id":63},"the-danger-of-00000","The Danger of 0.0.0.0/0",[66,67,68],"danger-box",{},[13,69,70,73],{},[31,71,72],{},"Never use 0.0.0.0/0 in production."," This allows connections from any IP address. If your credentials are leaked, anyone can access your database.",[61,75,77],{"id":76},"proper-network-configuration","Proper Network Configuration",[79,80,81,94],"table",{},[82,83,84],"thead",{},[85,86,87,91],"tr",{},[88,89,90],"th",{},"Environment",[88,92,93],{},"Recommended Approach",[95,96,97,106,114,122],"tbody",{},[85,98,99,103],{},[100,101,102],"td",{},"Development",[100,104,105],{},"Add your current IP address",[85,107,108,111],{},[100,109,110],{},"Vercel/Netlify",[100,112,113],{},"Use their IP ranges or 0.0.0.0/0 with strong auth",[85,115,116,119],{},[100,117,118],{},"Railway/Render",[100,120,121],{},"Use their static IPs or private networking",[85,123,124,127],{},[100,125,126],{},"AWS/GCP/Azure",[100,128,129],{},"VPC Peering or Private Endpoints",[131,132,133],"info-box",{},[13,134,135,138],{},[31,136,137],{},"Serverless platforms:"," Services like Vercel use dynamic IPs. You may need to allow broad access but should combine this with strong authentication and minimal user permissions.",[17,140,142],{"id":141},"database-user-security","Database User Security",[61,144,146],{"id":145},"creating-secure-users","Creating Secure Users",[13,148,149],{},"Create database users with minimal necessary permissions:",[151,152,154],"code-block",{"label":153},"User role examples",[155,156,161],"pre",{"className":157,"code":159,"language":160},[158],"language-text","# Read-only user for reporting\nUsername: reporter\nRole: read (on specific database)\n\n# Application user with read/write\nUsername: app_user\nRole: readWrite (on specific database)\n\n# Admin user (use sparingly)\nUsername: admin\nRole: atlasAdmin\n","text",[162,163,159],"code",{"__ignoreMap":164},"",[61,166,168],{"id":167},"user-best-practices","User Best Practices",[25,170,171,174,177,180,183],{},[28,172,173],{},"Use separate users for different applications",[28,175,176],{},"Use separate users for different environments (dev, staging, prod)",[28,178,179],{},"Generate strong, unique passwords",[28,181,182],{},"Rotate passwords periodically",[28,184,185],{},"Never share database credentials",[17,187,189],{"id":188},"connection-string-security","Connection String Security",[151,191,193],{"label":192},"MongoDB connection string format",[155,194,197],{"className":195,"code":196,"language":160},[158],"mongodb+srv://username:password@cluster.xxxxx.mongodb.net/database?retryWrites=true&w=majority\n",[162,198,196],{"__ignoreMap":164},[200,201,202],"warning-box",{},[13,203,204,207],{},[31,205,206],{},"Never hardcode connection strings."," They contain your username and password. Always use environment variables.",[151,209,211],{"label":210},"Secure connection in Node.js",[155,212,215],{"className":213,"code":214,"language":160},[158],"const { MongoClient } = require('mongodb');\n\n// Get connection string from environment\nconst uri = process.env.MONGODB_URI;\n\nif (!uri) {\n  throw new Error('MONGODB_URI environment variable is required');\n}\n\nconst client = new MongoClient(uri, {\n  // These options are now defaults in newer drivers\n  // but good to be explicit\n  retryWrites: true,\n  w: 'majority'\n});\n\nasync function connect() {\n  try {\n    await client.connect();\n    console.log('Connected to MongoDB');\n  } catch (error) {\n    console.error('MongoDB connection error:', error.message);\n    process.exit(1);\n  }\n}\n",[162,216,214],{"__ignoreMap":164},[17,218,220],{"id":219},"query-security","Query Security",[61,222,224],{"id":223},"preventing-nosql-injection","Preventing NoSQL Injection",[13,226,227],{},"MongoDB queries can be vulnerable to injection if you pass user input directly:",[151,229,231],{"label":230},"Vulnerable to injection",[155,232,235],{"className":233,"code":234,"language":160},[158],"// DANGEROUS: User could send { \"$gt\": \"\" } as password\napp.post('/login', async (req, res) => {\n  const user = await db.collection('users').findOne({\n    email: req.body.email,\n    password: req.body.password  // Could be an object!\n  });\n});\n",[162,236,234],{"__ignoreMap":164},[151,238,240],{"label":239},"Safe approach",[155,241,244],{"className":242,"code":243,"language":160},[158],"// SAFE: Validate and sanitize input\napp.post('/login', async (req, res) => {\n  const { email, password } = req.body;\n\n  // Ensure inputs are strings\n  if (typeof email !== 'string' || typeof password !== 'string') {\n    return res.status(400).json({ error: 'Invalid input' });\n  }\n\n  // Hash comparison (never store plain passwords!)\n  const user = await db.collection('users').findOne({ email });\n  if (!user || !await bcrypt.compare(password, user.passwordHash)) {\n    return res.status(401).json({ error: 'Invalid credentials' });\n  }\n});\n",[162,245,243],{"__ignoreMap":164},[61,247,249],{"id":248},"input-validation-library","Input Validation Library",[151,251,253],{"label":252},"Using a validation library",[155,254,257],{"className":255,"code":256,"language":160},[158],"const Joi = require('joi');\n\nconst userSchema = Joi.object({\n  email: Joi.string().email().required(),\n  password: Joi.string().min(8).required()\n});\n\napp.post('/login', async (req, res) => {\n  // Validate input\n  const { error, value } = userSchema.validate(req.body);\n  if (error) {\n    return res.status(400).json({ error: error.details[0].message });\n  }\n\n  // Now value.email and value.password are guaranteed to be strings\n  const { email, password } = value;\n  // ... proceed safely\n});\n",[162,258,256],{"__ignoreMap":164},[17,260,262],{"id":261},"encryption","Encryption",[61,264,266],{"id":265},"encryption-at-rest","Encryption at Rest",[13,268,269],{},"Atlas encrypts all data at rest using AES-256. This is enabled by default and cannot be disabled.",[61,271,273],{"id":272},"encryption-in-transit","Encryption in Transit",[13,275,276,277,280],{},"All connections to Atlas use TLS. The connection string with ",[162,278,279],{},"mongodb+srv://"," enforces TLS.",[61,282,284],{"id":283},"client-side-field-level-encryption","Client-Side Field Level Encryption",[13,286,287],{},"For highly sensitive data, Atlas supports client-side encryption where data is encrypted before sending to the database:",[151,289,291],{"label":290},"Field level encryption concept",[155,292,295],{"className":293,"code":294,"language":160},[158],"// With CSFLE, sensitive fields are encrypted client-side\n// The database never sees the plaintext\n\n// Fields like SSN, credit card would be encrypted\n{\n  name: \"John Doe\",                    // Plaintext\n  ssn: Binary(encrypted_data),         // Encrypted\n  creditCard: Binary(encrypted_data)   // Encrypted\n}\n",[162,296,294],{"__ignoreMap":164},[17,298,300],{"id":299},"mongodb-atlas-security-checklist","MongoDB Atlas Security Checklist",[302,303,305],"h4",{"id":304},"before-going-to-production","Before Going to Production",[13,307,308],{},"Network access restricted (not 0.0.0.0/0 if possible)",[13,310,311],{},"Database users have minimal necessary roles",[13,313,314],{},"Separate users for each application/environment",[13,316,317],{},"Strong, unique passwords for all users",[13,319,320],{},"Connection string in environment variables",[13,322,323],{},"Input validation prevents NoSQL injection",[13,325,326],{},"Audit logging enabled (for compliance needs)",[13,328,329],{},"Backups configured and tested",[331,332,333,340,346,352],"faq-section",{},[334,335,337],"faq-item",{"question":336},"Is it safe to allow 0.0.0.0/0 network access?",[13,338,339],{},"It's not ideal but sometimes necessary for serverless platforms. If you must allow all IPs, use strong authentication, create users with minimal permissions, and consider Atlas's network peering for sensitive data.",[334,341,343],{"question":342},"How do I connect from Vercel or Netlify?",[13,344,345],{},"These platforms use dynamic IPs. You'll typically need to allow broad network access (0.0.0.0/0) but should compensate with strong passwords, minimal user permissions, and input validation in your code.",[334,347,349],{"question":348},"Should I use the same database user for all environments?",[13,350,351],{},"No. Create separate users for development, staging, and production. This limits damage if credentials are compromised and makes it easier to rotate credentials.",[334,353,355],{"question":354},"What happens if my connection string is exposed?",[13,356,357],{},"Immediately rotate the database user's password in Atlas. Then update your environment variables with the new connection string. Also audit your database for any unauthorized access or changes.",[359,360,361,367,372],"related-articles",{},[362,363],"related-card",{"description":364,"href":365,"title":366},"Step-by-step guide","/blog/how-to/environment-variables","Secure MongoDB Connections",[362,368],{"description":369,"href":370,"title":371},"Compare database security","/blog/comparisons/supabase-vs-mongodb","MongoDB vs PostgreSQL Security",[362,373],{"description":374,"href":375,"title":376},"Understanding the vulnerability","/blog/vulnerabilities/sql-injection","NoSQL Injection",[378,379,382,386],"cta-box",{"href":380,"label":381},"/","Start Free Scan",[17,383,385],{"id":384},"using-mongodb","Using MongoDB?",[13,387,388],{},"Scan your project for exposed connection strings and security issues.",{"title":164,"searchDepth":390,"depth":390,"links":391},2,[392,393,398,402,403,407,412,413],{"id":19,"depth":390,"text":20},{"id":55,"depth":390,"text":56,"children":394},[395,397],{"id":63,"depth":396,"text":64},3,{"id":76,"depth":396,"text":77},{"id":141,"depth":390,"text":142,"children":399},[400,401],{"id":145,"depth":396,"text":146},{"id":167,"depth":396,"text":168},{"id":188,"depth":390,"text":189},{"id":219,"depth":390,"text":220,"children":404},[405,406],{"id":223,"depth":396,"text":224},{"id":248,"depth":396,"text":249},{"id":261,"depth":390,"text":262,"children":408},[409,410,411],{"id":265,"depth":396,"text":266},{"id":272,"depth":396,"text":273},{"id":283,"depth":396,"text":284},{"id":299,"depth":390,"text":300},{"id":384,"depth":390,"text":385},"guides","2026-01-22","2026-02-12","Complete security guide for MongoDB Atlas. Learn to configure network access, enable authentication, encrypt data, and secure your NoSQL database.",false,"md",null,"blue",{},true,"Secure your MongoDB Atlas database with proper access controls and encryption.","/blog/guides/mongodb","10 min read","[object Object]","Article",{"title":5,"description":417},{"loc":425},"blog/guides/mongodb",[],"summary_large_image","n8c4vOm-mFgnVMO7rDC7hb4CvYqPPzPBRShqMFwh0FI",1775843930110]