MongoDB Security - Is SSL required as Client and Server As One?

Posted January 21, 2017 10k views


I was just going these 10 recommendations for MongoDB security.

Number 8 mentions enabling SSL for data travelling between the Mongo client and Mongo Server. However with the case of my droplet, is this required?

Isn’t the Mongo Server = my droplet. Mongo Client = the mongo installation?

I have a firewall IP restriction so only my node droplet can access that mongo droplet.

So with that is it safe to say SSL isn’t required?


These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers


SSL is recommended for added security and allows you to encrypt communication between local and remote connections.

For example, if you happen to be using your database to store sensitive data, such as passwords, e-mail addresses, etc and that data happens to be in plain-text format (and in most cases it is – even if the password is actually encrypted and then decrypted later on by your application), adding SSL to the mix adds another layer of security that prevent potential interception and decryption of the data during transit.

Without SSL, should the data be intercepted, what is passed is what is seen. There’s no encryption beyond what your application may perform.

  • Thanks - however I’m still unclear.

    So i have:


    I SSH to DROPLET1 - so any data between here would be encrypted as far as I understand.

    Nothing else is allowed to talk to DROPLET1 as per my firewall rules.

    So where would SSL sit in this equation/do i need it?


SSH may very well be encrypted, though if you’re handling data, SSL handles the exchange between the visitors of your website and the server (i.e. visitor <=> Node app), as well as between servers (i.e. Node app <=> MongoDB).

So, for instance, someone visits your site at – data exchanged between your app and the visitor is not encrypted. Likewise, when your Node app requests data from your MongoDB instance, data is not encrypted (unless MongoDB is setup to use SSL).

You have to specifically install an SSL certificate for your domain and then setup your application to use HTTPS instead of HTTP – at the same time, you have to specifically configure MongoDB to run with an SSL certificate.

That being said, the actual question is should you use SSL on either? If you’re handling user data and that data contains names, addresses, phone numbers, DOB’s, e-mail addresses, IP’s, etc – yes. If you never handle user submitted data, I still would, though it’s not a requirement.


MongoDB doesn’t run with SSL by default, this is something you have to enable manually. If you will, take a look at the guide below and it’ll cover how to enable SSL.

That being said, no, if you’ve not enabled SSL on the MongoDB instance, communication between the NodeJS app and MongoDB instance will not be encrypted.

  • I’m initiating a similar setup:

    • backend mongodb droplet
    • frontend droplet

    http is routed to https, cert is generated using letsencrypt/certbot

    looking at the documentation, are the pem key settings required in this instance? or just the requireSSL setting? I’m confused as to how to get the pem file for the db droplet when the ssl cert is on the frontend side.