Information
MongoDB should not be set to bypass authentication via the localhost exception. The localhost exception allows the user to enable authorization before creating the first user in the system. When active, the localhost exception allows all connections from the localhost interface to have full access to that instance. The exception applies only when there are no users created in the MongoDB instance.
Note: This recommendation only applies when there are no users created in the MongoDB instance.
Disabling this exception will prevent unauthorized local access to the MongoDB database. It will also ensure the traceability of each database activity to a specific user. Localhost Exception allows direct connect to Mongod's without any UN/PW.
Solution
To disable local authentication on the MongoDB database.
Type OS Console Command
mongod --setParameter enableLocalhostAuthBypass=0
or
To manually configure use the setParameter option in the mongo configuration file to set it to false
setParameter:
enableLocalhostAuthBypass: false