alt Hacker NewsIts default is to only take connections that are local, usually I have my mongo clients SSH into a mongo server as opposed to opening up the port to the internet. Some Mongo users / collections are very open by default.
It has been a minute since I used Mongo for production grade projects, so some things could have changed since then.
I don't think I would be comfortable serving any DB over the internet these days, exploit scanners are so agressand ubiquitous that a breach would feel inevitable.
Not that it is fool proof, but if I am setting up the infrastructure I can probably control where the DB is deployed, so I would colocate it with the application servers on a local network or virtual local network, that is all I would be comfortable with.