We are using a MongoDB replica set for sharing sessions and other (potentially sensitive) data in a web farm.
All the data we store uses TTL indexes to expire documents after a relatively short period of time (say an hour) partly for security reasons.
However, it has occurred to me that even if the data is deleted from a MongoDB collection, the oplog used for replication will still contain all documents created (and then deleted); all the data that was expired can then be easily read from the oplog.
Depending on the size allocated to the oplog, the data in it can be quite old.
My question is, what is best practice here? Is there anything we can do, other than severely reduce the oplog size, to prevent old data from being accessible?