By psmod2
Hi,
I was just going these 10 recommendations for MongoDB security.
Number 8 mentions enabling SSL for data travelling between the Mongo client and Mongo Server. However with the case of my droplet, is this required?
Isn’t the Mongo Server = my droplet. Mongo Client = the mongo installation?
I have a firewall IP restriction so only my node droplet can access that mongo droplet.
So with that is it safe to say SSL isn’t required?
Thanks.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
MongoDB doesn’t run with SSL by default, this is something you have to enable manually. If you will, take a look at the guide below and it’ll cover how to enable SSL.
https://docs.mongodb.com/manual/tutorial/configure-ssl/
That being said, no, if you’ve not enabled SSL on the MongoDB instance, communication between the NodeJS app and MongoDB instance will not be encrypted.
SSL is recommended for added security and allows you to encrypt communication between local and remote connections.
For example, if you happen to be using your database to store sensitive data, such as passwords, e-mail addresses, etc and that data happens to be in plain-text format (and in most cases it is – even if the password is actually encrypted and then decrypted later on by your application), adding SSL to the mix adds another layer of security that prevent potential interception and decryption of the data during transit.
Without SSL, should the data be intercepted, what is passed is what is seen. There’s no encryption beyond what your application may perform.
SSH may very well be encrypted, though if you’re handling data, SSL handles the exchange between the visitors of your website and the server (i.e. visitor <=> Node app), as well as between servers (i.e. Node app <=> MongoDB).
So, for instance, someone visits your site at http://yoursite.com – data exchanged between your app and the visitor is not encrypted. Likewise, when your Node app requests data from your MongoDB instance, data is not encrypted (unless MongoDB is setup to use SSL).
You have to specifically install an SSL certificate for your domain and then setup your application to use HTTPS instead of HTTP – at the same time, you have to specifically configure MongoDB to run with an SSL certificate.
That being said, the actual question is should you use SSL on either? If you’re handling user data and that data contains names, addresses, phone numbers, DOB’s, e-mail addresses, IP’s, etc – yes. If you never handle user submitted data, I still would, though it’s not a requirement.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.