# Mongonaut: Self-Hosted MongoDB Web GUI ## Read-only configuration > Category: Guides --- ## Pages - [Overview](https://mongonaut.org/about-mongonaut) - [Installation](https://mongonaut.org/installation) - [Docker setup](https://mongonaut.org/mongodb-gui-docker) ### Compare - [Mongonaut vs mongo-express](https://mongonaut.org/compare/mongonaut-vs-mongo-express) - [Mongonaut vs MongoDB Compass](https://mongonaut.org/compare/mongonaut-vs-mongodb-compass) ### Guides - [Migrate from mongo-express](https://mongonaut.org/guides/migrate-from-mongo-express) - [Read-only configuration](https://mongonaut.org/guides/read-only-configuration) - [Troubleshooting](https://mongonaut.org/guides/troubleshooting) ### Security - [Authentication](https://mongonaut.org/security/authentication) - [Cloudflare Zero Trust Tunnel](https://mongonaut.org/security/zero-trust-tunnel) ### Community - [FAQ](https://mongonaut.org/community/faq) - [Contributing](https://mongonaut.org/community/contributing) --- # Read-only configuration Mongonaut can be configured as a read-only MongoDB GUI. Use this when users should inspect databases, collections and documents from a browser without creating, editing or deleting data through Mongonaut. ## Prerequisites - A working Mongonaut deployment. - Access to the Docker or Docker Compose environment variables. - Optional but recommended: a MongoDB user with read-only database permissions. ## Enable read-only mode Set `MONGONAUT_READONLY=true`. Docker: ```bash docker run -it --rm \ -p 8081:8081 \ -e MONGO_CONNECTION_URL="mongodb://mongo:27017/" \ -e MONGONAUT_AUTH_SECRET="$(openssl rand -base64 32)" \ -e MONGONAUT_READONLY="true" \ ghcr.io/withzu/mongonaut ``` Docker Compose: ```yaml name="docker-compose.yml" services: mongonaut: image: ghcr.io/withzu/mongonaut ports: - 8081:8081 environment: MONGO_CONNECTION_URL: mongodb://mongo:27017/ MONGONAUT_AUTH_SECRET: ${MONGONAUT_AUTH_SECRET} MONGONAUT_READONLY: "true" ``` ## Add a MongoDB read-only user Read-only mode disables writes in Mongonaut, but the MongoDB connection still has whatever permissions its database user has. For an additional boundary, connect with a MongoDB user that only has read permissions. Example MongoDB shell commands: ```javascript use admin db.createUser({ user: "mongonaut_readonly", pwd: "change-this-password", roles: [ { role: "readAnyDatabase", db: "admin" } ] }) ``` Then configure Mongonaut: ```env MONGO_CONNECTION_URL=mongodb://mongonaut_readonly:change-this-password@mongo:27017/?authSource=admin MONGONAUT_READONLY=true ``` Adjust roles to match your MongoDB security model. If users only need one database, prefer a database-specific `read` role instead of broader access. ## Account mode read-only grants In `ACCOUNT` mode, administrators can grant access per database and collection and choose read-only or read/write access. This is useful when different users need different scopes. Keep `MONGONAUT_READONLY=true` if the entire instance should be read-only regardless of account grants. ## Verify behavior After restarting Mongonaut, check: 1. Databases and collections still load. 2. Documents can be opened and inspected. 3. Create, edit, delete and bulk delete actions are unavailable or rejected. 4. A test write with the MongoDB user fails if you also configured database-level read-only permissions. ## Security notes Read-only mode is not a substitute for access control. A read-only MongoDB GUI can still expose sensitive data. Protect the web interface with Mongonaut authentication, Cloudflare Access, a VPN or an authenticated reverse proxy. ## Common errors ### Write buttons still appear Confirm the container was restarted with `MONGONAUT_READONLY=true` and that the variable is a string value in Compose: ```yaml MONGONAUT_READONLY: "true" ``` ### Users can still write through another tool Mongonaut read-only mode only controls Mongonaut. Use MongoDB read-only users to prevent writes through other clients. ### A user cannot see expected databases Check account grants in Mongonaut account mode and MongoDB permissions for the database user in `MONGO_CONNECTION_URL`. ## Related links - [Install Mongonaut](/installation) - [Authentication](/security/authentication) - [Cloudflare Zero Trust Tunnel](/security/zero-trust-tunnel) - [MongoDB GUI with Docker](/mongodb-gui-docker)