Use secure configuration options

It goes without saying that sane configuration options should be used. We must use one of the following:

1. MapReduce.
2. mongo shell group operation or a group operation from our client driver.
3. $where JavaScript server evaluation.

If we don't, we should disable server-side scripting by using the --noscripting option on the command line when we start our server.

Number 2 in the previous list can be a tricky one as many drivers may use MongoDB's group() command when we issue group commands in the driver; however, given the limitations that group() has in terms of performance and output documents, we should rethink our design to use the aggregation framework or application side aggregations.

The web interface also has to be disabled, by not using any of the following commands:

• net.http.enabled
• net.http.JSONPEnabled
• net.http.RESTInterfaceEnabled

On the contrary, wireObjectCheck needs to remain enabled, as it is by default, as this ensures that all documents stored by the mongod instance are valid BSON.