From e995016ae3bf5c825a4df0f48a622b31bd662b65 Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Thu, 16 Oct 2025 10:28:21 +0200
Subject: [PATCH] Harden mongo

This disables legacy TLS-protocols and server-side javascript processing which is enabled by default
---
 roles/mongo/templates/mongod.conf.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/mongo/templates/mongod.conf.j2 b/roles/mongo/templates/mongod.conf.j2
index e0cf91d28..07cee149f 100644
--- a/roles/mongo/templates/mongod.conf.j2
+++ b/roles/mongo/templates/mongod.conf.j2
@@ -9,6 +9,7 @@ net:
   port: 27017
   tls:
     mode: preferTLS
+    disabledProtocols: TLS1_0,TLS1_1,TLS1_2
     certificateKeyFile: /etc/pki/mongo/keyandcert.pem
     CAFile: /etc/pki/mongo/mongoca.pem
     allowConnectionsWithoutCertificates: true
@@ -22,3 +23,4 @@ replication:
 security: 
     authorization: enabled
     clusterAuthMode: x509
+    javascriptEnabled: false