Connection Security
Encryption, authentication, TLS/SSL configuration, and IP whitelisting for MongoDB connections
Connection Security
Securing your MongoDB connections protects sensitive data from unauthorized access and interception. MongoDash supports multiple security layers including encryption, authentication mechanisms, TLS/SSL, and network access controls.
Security Layers
A secure MongoDB connection uses multiple protection mechanisms:
- Transport Encryption - TLS/SSL encrypts data in transit
- Authentication - Verifies user identity
- Authorization - Controls user permissions
- Network Access Control - Restricts connection sources
- Connection String Protection - Encrypts stored credentials
Always use TLS/SSL for production connections, especially over public networks. Unencrypted connections expose your data to eavesdropping.
TLS/SSL Encryption
TLS (Transport Layer Security) encrypts all data transmitted between MongoDash and your MongoDB server.
Enabling TLS/SSL
Add tls=true or ssl=true to your connection string:
mongodb://user:pass@host:27017/db?tls=trueFor Atlas connections, TLS is automatically enabled:
mongodb+srv://user:pass@cluster.mongodb.net/dbTLS Configuration Options
Basic TLS
- Add
tls=trueto connection string - Uses system certificate authorities
- Validates server certificate automatically
Custom CA Certificate
- Upload custom CA certificate
- Required for self-signed certificates
- Add
tlsCAFileparameter
Client Certificate Authentication
- Upload client certificate and private key
- Required for mutual TLS (mTLS)
- Add
tlsCertificateKeyFileparameter
Certificate Validation Options
tlsAllowInvalidCertificates- Skip certificate validation (development only)tlsAllowInvalidHostnames- Skip hostname validationtlsInsecure- Skip all TLS validation (never use in production)
TLS Connection String Examples
Standard TLS:
mongodb://user:pass@host:27017/db?tls=trueTLS with custom CA:
mongodb://user:pass@host:27017/db?tls=true&tlsCAFile=/path/to/ca.pemMutual TLS (client certificate):
mongodb://user:pass@host:27017/db?tls=true&tlsCertificateKeyFile=/path/to/client.pemDevelopment (skip validation):
mongodb://user:pass@localhost:27017/db?tls=true&tlsAllowInvalidCertificates=trueNever use tlsAllowInvalidCertificates=true or tlsInsecure=true in production. These options disable critical security checks.
Certificate Management
Uploading Certificates to MongoDash
Navigate to connection settings
- Go to Connections → Edit Connection
- Scroll to TLS/SSL Configuration
Upload CA certificate (if using self-signed certificates)
- Click Upload CA Certificate
- Select your
.pemor.crtfile - MongoDash validates certificate format
Upload client certificate (for mutual TLS)
- Click Upload Client Certificate
- Upload combined certificate and key file
- Or upload certificate and key separately
Enter certificate passphrase (if encrypted)
- Provide passphrase for encrypted private keys
- MongoDash encrypts passphrases at rest
Certificate Formats
MongoDash accepts these certificate formats:
- PEM - Privacy Enhanced Mail (
.pem,.crt,.key) - DER - Distinguished Encoding Rules (
.der,.cer) - PKCS#12 - Combined certificate and key (
.p12,.pfx)
Converting Certificates
Convert DER to PEM:
openssl x509 -inform der -in certificate.cer -out certificate.pemCombine certificate and key:
cat certificate.crt private.key > combined.pemExtract from PKCS#12:
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodesAuthentication Mechanisms
MongoDB supports multiple authentication mechanisms for different security requirements.
SCRAM-SHA-256 (Default)
Salted Challenge Response Authentication Mechanism using SHA-256.
mongodb://user:pass@host:27017/db?authMechanism=SCRAM-SHA-256&authSource=adminWhen to use:
- Default for MongoDB 4.0+
- Standard username/password authentication
- Most common authentication method
SCRAM-SHA-1
Legacy SCRAM using SHA-1 (for older MongoDB versions).
mongodb://user:pass@host:27017/db?authMechanism=SCRAM-SHA-1&authSource=adminWhen to use:
- MongoDB 3.x compatibility
- Legacy systems requiring SHA-1
MONGODB-X509
Certificate-based authentication using X.509 certificates.
mongodb://host:27017/db?authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=/path/to/client.pemWhen to use:
- High-security environments
- Automated systems (no password rotation)
- Mutual TLS requirements
X.509 authentication requires the certificate subject to match a MongoDB user. Contact your DBA for certificate setup.
LDAP (SASL)
Enterprise-only LDAP authentication.
mongodb://user@REALM:pass@host:27017/db?authMechanism=PLAIN&authSource=$externalWhen to use:
- Enterprise MongoDB installations
- Active Directory integration
- Centralized user management
Kerberos (GSSAPI)
Enterprise-only Kerberos authentication.
mongodb://user@REALM@host:27017/db?authMechanism=GSSAPI&authSource=$externalWhen to use:
- Enterprise MongoDB installations
- Kerberos infrastructure environments
- Single sign-on requirements
AWS IAM
MongoDB Atlas AWS IAM authentication.
mongodb://host:27017/db?authMechanism=MONGODB-AWS&authSource=$externalWhen to use:
- MongoDB Atlas on AWS
- IAM role-based access
- Temporary credentials
IP Whitelisting
Restrict MongoDB access to specific IP addresses or CIDR ranges.
MongoDB Atlas IP Whitelist
Access Network Access in Atlas
- Log into MongoDB Atlas dashboard
- Navigate to Network Access
- Click Add IP Address
Add MongoDash IP addresses
- Enter MongoDash static IP ranges (Enterprise only)
- Or add current IP for testing
- Or use
0.0.0.0/0for development (not recommended)
Set expiration (optional)
- Configure temporary access with expiration date
- Useful for contractor or temporary access
Test connection
- Verify connection from MongoDash
- Check firewall logs if connection fails
Self-Hosted MongoDB Firewall
Configure firewall rules on your MongoDB server:
Linux (iptables):
# Allow MongoDash IP
sudo iptables -A INPUT -p tcp -s 203.0.113.10 --dport 27017 -j ACCEPT
# Block all other connections
sudo iptables -A INPUT -p tcp --dport 27017 -j DROPLinux (ufw):
# Allow specific IP
sudo ufw allow from 203.0.113.10 to any port 27017
# Deny all other
sudo ufw deny 27017Windows Firewall:
- Open Windows Firewall with Advanced Security
- Create new Inbound Rule
- Select Port → TCP → 27017
- Select "Allow the connection"
- Specify remote IP addresses
MongoDash Static IPs
MongoDash Enterprise customers receive dedicated static IP addresses for firewall whitelisting. Contact support for your IP ranges. Enterprise
Standard and Professional plans use dynamic IPs and require alternative access methods:
- VPN connections
- SSH tunnels
- Private network peering (Enterprise)
Connection String Encryption
MongoDash encrypts all connection strings at rest to protect credentials.
Encryption Details
- Algorithm: AES-256-GCM
- Key Storage: Hardware security module (HSM) in Enterprise
- Scope: All connection URIs, passwords, and certificates
- Access: Decrypted only during active connections
Best Practices
- Use environment-specific credentials - Separate users for dev/staging/production
- Rotate credentials regularly - Change passwords every 90 days
- Use read-only users for dashboards - Minimize permissions
- Enable audit logging - Track connection usage (Enterprise)
Create dedicated MongoDB users for MongoDash with minimal required permissions. Avoid using admin or root accounts.
Database User Permissions
Configure appropriate MongoDB user permissions for MongoDash access.
Read-Only User (Recommended for Dashboards)
use admin
db.createUser({
user: "mongodash_readonly",
pwd: "securePassword123",
roles: [
{ role: "readAnyDatabase", db: "admin" },
{ role: "clusterMonitor", db: "admin" }
]
})Permissions:
- Read all databases
- View cluster status and metrics
- No write or admin capabilities
Read-Write User
use admin
db.createUser({
user: "mongodash_readwrite",
pwd: "securePassword123",
roles: [
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "clusterMonitor", db: "admin" }
]
})Permissions:
- Read and write all databases
- View cluster status
- No user management or admin
Database-Specific User
use myDatabase
db.createUser({
user: "mongodash_mydb",
pwd: "securePassword123",
roles: [
{ role: "read", db: "myDatabase" }
]
})Permissions:
- Read only specific database
- No access to other databases
Grant minimum required permissions. Over-privileged accounts increase security risk if credentials are compromised.
Network Security
Additional network-level security measures:
VPC Peering (Enterprise)
Establish private network connection between MongoDash and your MongoDB:
- No internet exposure
- Dedicated private link
- Sub-millisecond latency
- Enhanced security
VPC peering is available for Enterprise customers. Contact sales for setup. Enterprise
PrivateLink (AWS/Azure/GCP)
Connect to MongoDB Atlas via cloud provider PrivateLink:
Benefits:
- Traffic stays within cloud provider network
- No internet exposure
- Simplified network configuration
- Lower latency
Setup:
- Enable PrivateLink in Atlas
- Create endpoint in your VPC
- Use private endpoint in connection string
- Configure DNS resolution
SSH Bastion
Use SSH tunnels for secure access:
MongoDash → SSH Tunnel → Bastion → MongoDB (Private Network)See SSH Tunnels documentation for detailed configuration.
Security Compliance
MongoDash security features support compliance requirements:
SOC 2 Compliance
- Encrypted connections (TLS 1.2+)
- Encrypted data at rest
- Access logging and audit trails (Enterprise)
- Regular security audits
GDPR Compliance
- Data encryption in transit and at rest
- Access controls and authentication
- Audit logging for data access (Enterprise)
- Data retention policies
HIPAA Compliance
- End-to-end encryption
- Access logging and monitoring (Enterprise)
- BAA available (Enterprise)
- PHI data handling procedures
Enterprise plans include compliance documentation and BAA agreements. Contact sales for compliance requirements. Enterprise
Security Checklist
Ensure your MongoDB connections are secure:
- Enable TLS/SSL for all connections
- Use certificate validation (no
tlsAllowInvalidCertificates) - Configure IP whitelisting or firewall rules
- Use strong authentication (SCRAM-SHA-256 or X.509)
- Create dedicated users with minimal permissions
- Rotate credentials every 90 days
- Enable MongoDB authentication and authorization
- Use SSH tunnels or VPN for private networks
- Monitor connection audit logs (Enterprise)
- Disable unnecessary MongoDB ports and services