Fix guide · critical · mongodb_connection_string

MongoDB connection string with credentials in client code

Why it matters

The connection string is full database credentials. Anyone with the URL can connect directly to your MongoDB cluster and run any operation the user has permission for — typically full read/write.

How to fix it

1. Rotate the database password. In MongoDB Atlas → Database Access → edit user → reset password.
2. Move the connection string to server-side env vars (MONGODB_URI, no NEXT_PUBLIC_ prefix).
3. Pattern data access as client → your API → MongoDB. Never expose the connection from the browser.
4. Restrict network access in Atlas → Network Access. Allow only your server IPs (or Vercel/Cloud Run egress ranges).

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.