mongodb · mpaik · Mar 3, 2015
diff --git a/source/administration/production-notes.txt b/source/administration/production-notes.txt
@@ -141,6 +141,16 @@ command returns information regarding the number of open connections
 to the current database for :program:`mongos` instances and
 :program:`mongod` instances in sharded clusters.
 
+Disable HTTP Interfaces
+~~~~~~~~~~~~~~~~~~~~~~~
+
+:program:`mongod` provides interfaces to check the status of the
+server and, optionally, run queries on it, over HTTP. Ensure that
+these are disabled in production environments.
+
+See :ref:`http-interface-security`.
+
+
 Hardware Considerations
 -----------------------
 

diff --git a/source/core/security-interface.txt b/source/core/security-interface.txt
@@ -38,9 +38,13 @@ behavior by passing the :option:`mongo --norc` option.
    the :file:`.mongorc.js` file from :file:`{%HOME%}\.mongorc.js` or
    :file:`{%HOMEDRIVE%}\{%HOMEPATH%}\.mongorc.js`.
 
+.. _http-interface-security:
+
 HTTP Status Interface
 ---------------------
 
+.. include:: /includes/warning-http-interface.rst
+
 The HTTP status interface provides a web-based interface that includes
 a variety of operational data, logs, and status reports regarding the
 :program:`mongod` or :program:`mongos` instance. The HTTP interface is
@@ -49,20 +53,22 @@ always available on the port numbered ``1000`` greater than the primary
 ``28017``, but is indirectly set using the :setting:`~net.port` option which
 allows you to configure the primary :program:`mongod` port.
 
-Without the :setting:`net.http.RESTInterfaceEnabled` setting, this interface is entirely
-read-only, and limited in scope; nevertheless, this interface may
-represent an exposure. To disable the HTTP interface, set the
-:setting:`~net.http.enabled` run time option or the
+Without the :setting:`net.http.RESTInterfaceEnabled` setting, this
+interface is entirely read-only, and limited in scope; nevertheless,
+this interface may represent an exposure. To disable the HTTP
+interface, set the :setting:`~net.http.enabled` run time option or the
 :option:`--nohttpinterface <mongod --nohttpinterface>` command line
 option. See also :ref:`security-port-numbers`.
 
+.. include:: /includes/note-http-interface-auth.rst
+
 .. _rest-api:
 
 REST API
 --------
 
 The REST API to MongoDB provides additional information and write
-access on top of the HTTP Status interface. While the REST API does not
+access on top of the HTTP status interface. While the REST API does not
 provide any support for insert, update, or remove operations, it does
 provide administrative access, and its accessibility represents a
 vulnerability in a secure environment. The REST interface is *disabled*

diff --git a/source/core/security-network.txt b/source/core/security-network.txt
@@ -41,7 +41,7 @@ The status interface is read-only by default, and the default port for
 the status page is ``28017``. Authentication does not control or affect
 access to this interface.
 
-.. important:: Disable this interface for production deployments. If
+.. warning:: Disable this interface for production deployments. If
    you *enable* this interface, you should only allow trusted clients
    to access this port. See :ref:`security-firewalls`.
 
@@ -62,7 +62,7 @@ to connect to this port.
 You may also enable this interface on the command line as
 :option:`mongod --rest <--rest>` :option:`--httpinterface`.
 
-.. important:: Disable this option for production deployments. If
+.. warning:: Disable this option for production deployments. If
    *do* you leave this interface enabled, you should only allow trusted
    clients to access this port.
 

diff --git a/source/includes/note-http-interface-auth.rst b/source/includes/note-http-interface-auth.rst
@@ -0,0 +1,11 @@
+.. note::
+
+   While MongoDB Enterprise does support Kerberos authentication,
+   Kerberos is not supported in HTTP status interface in any version of
+   MongoDB.
+
+   .. versionchanged:: 3.0
+
+   Neither the HTTP status interface nor the REST API support the
+   :ref:`SCRAM-SHA-1 <authentication-scram-sha-1>` challenge-response
+   user authentication mechanism introduced in version 3.0.
diff --git a/source/includes/note-http-interface-scram.rst b/source/includes/note-http-interface-scram.rst
@@ -0,0 +1,7 @@
+.. note::
+
+   .. versionchanged:: 3.0
+
+   Neither the HTTP status interface nor the REST API support the
+   :ref:`SCRAM-SHA-1 <authentication-scram-sha-1>` challenge-response
+   user authentication mechanism introduced in version 3.0.
diff --git a/source/includes/note-kerberos-unsupported-in-http-console.rst b/source/includes/note-kerberos-unsupported-in-http-console.rst
diff --git a/source/includes/options-mongod.yaml b/source/includes/options-mongod.yaml
@@ -542,7 +542,7 @@ description: |
 
   Do not use in conjunction with :option:`--rest` or :option:`--jsonp`.
 
-  .. include:: /includes/note-kerberos-unsupported-in-http-console.rst
+  .. include:: /includes/note-http-interface-auth.rst
 optional: true
 ---
 program: mongod
@@ -559,7 +559,7 @@ description: |
   *do* enable this interface, you should only allow trusted clients to
   access this port. See :ref:`security-firewalls`.
 
-  .. include:: /includes/note-kerberos-unsupported-in-http-console.rst
+  .. include:: /includes/note-http-interface-auth.rst
 optional: true
 ---
 program: mongod

diff --git a/source/includes/warning-http-interface.rst b/source/includes/warning-http-interface.rst
@@ -0,0 +1,5 @@
+.. warning::
+
+   Ensure that the HTTP status interface, the REST API, and the JSON
+   API are all disabled in production environments to prevent
+   potential data exposure and vulnerability to attackers.
diff --git a/source/reference/configuration-options.txt b/source/reference/configuration-options.txt
@@ -134,8 +134,6 @@ Core Options
 
 .. include:: /includes/option/setting-conf-net.wireObjectCheck.rst
 
-.. include:: /includes/option/setting-conf-net.http.enabled.rst
-
 .. PENDING SERVER-13097
 
    .. include:: /includes/option/setting-conf-net.http.port.rst
@@ -150,6 +148,10 @@ Core Options
 
 .. setting:: net.http
 
+.. include:: /includes/warning-http-interface.rst
+
+.. include:: /includes/option/setting-conf-net.http.enabled.rst
+
 .. include:: /includes/option/setting-conf-net.http.JSONPEnabled.rst
 
 .. include:: /includes/option/setting-conf-net.http.RESTInterfaceEnabled.rst

diff --git a/source/release-notes/3.0-compatibility.txt b/source/release-notes/3.0-compatibility.txt
@@ -360,6 +360,13 @@ control. If you have a 3.0 MongoDB deployment that requires
 access control, you must use 3.0 versions of the :program:`mongo`
 shell.
 
+HTTP Status Interface and REST API Compatibility
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Neither the HTTP status interface nor the REST API support the
+:ref:`SCRAM-SHA-1 <authentication-scram-sha-1>` challenge-response
+user authentication mechanism introduced in version 3.0.
+
 .. _3.0-compatibility-indexes:
 
 Indexes