This chapter covers securing Neo4j.
By default, the Neo4j Server is bundled with a Web server that binds to host
localhost on port
7474, answering only requests from the local machine.
This is configured in neo4j.conf:
# Let the webserver only listen on the specified IP. Default is localhost (only # accept local connections). Uncomment to allow any connection. dbms.connector.http.type=HTTP dbms.connector.http.enabled=true #dbms.connector.http.address=0.0.0.0:7474
If you want the server to listen to external hosts, configure the Web server in neo4j.conf by setting the property dbms.connector.http.address=0.0.0.0:7474 which will cause the server to bind to all available network interfaces. Note that firewalls et cetera have to be configured accordingly as well.
Neo4j requires clients to supply authentication credentials when accessing the REST API. Without valid credentials, access to the database will be forbidden.
The authentication and authorization data is stored under data/dbms/auth. If necessary, this file can be copied over to other neo4j instances to ensure they share the same username/password.
When accessing Neo4j over unsecured networks, make sure HTTPS is configured and used for access (see Section 3.1.3, “HTTPS support”).
If necessary, authentication may be disabled. This will allow any client to access the database without supplying authentication credentials.
# Disable authorization dbms.security.auth_enabled=false
Disabling authentication is not recommended, and should only be done if the operator has a good understanding of their network security, including protection against cross-site scripting (XSS) attacks via web browsers. Developers should not disable authentication if they have a local installation using the default listening ports.