Chapter 3. Security

This chapter covers securing Neo4j.

3.1. Securing Neo4j server

3.1.1. Secure the port and remote client connection accepts

By default, the Neo4j Server is bundled with a Web server that binds to host localhost on port 7474, answering only requests from the local machine.

This is configured in neo4j.conf:

# Let the webserver only listen on the specified IP. Default is localhost (only
# accept local connections). Uncomment to allow any connection.

If you want the server to listen to external hosts, configure the Web server in neo4j.conf by setting the property dbms.connector.http.address= which will cause the server to bind to all available network interfaces. Note that firewalls et cetera have to be configured accordingly as well.

3.1.2. Server authentication and authorization

Neo4j requires clients to supply authentication credentials when accessing the REST API. Without valid credentials, access to the database will be forbidden.

The authentication and authorization data is stored under data/dbms/auth. If necessary, this file can be copied over to other neo4j instances to ensure they share the same username/password.

When accessing Neo4j over unsecured networks, make sure HTTPS is configured and used for access (see Section 3.1.3, “HTTPS support”).

If necessary, authentication may be disabled. This will allow any client to access the database without supplying authentication credentials.

# Disable authorization

Disabling authentication is not recommended, and should only be done if the operator has a good understanding of their network security, including protection against cross-site scripting (XSS) attacks via web browsers. Developers should not disable authentication if they have a local installation using the default listening ports.