Security checklist

This section provides a summary of recommendations regarding post-deploy security in Neo4j.

The following checklist highlights the specific areas within Neo4j that may need extra attention to ensure the appropriate level of security for your application after Neo4j is deployed.

  1. Deploy Neo4j on safe servers in secure networks:

    1. Use subnets and firewalls to segment the network.

      flat vs segmented network

    2. Open only the ports that you need. For a list of relevant ports, see Ports.

      In particular, ensure that there is no external access to the port specified by the setting dbms.backup.listen_address. Failing to protect this port may open a security hole by which an unauthorized user can make a copy of the database onto a different machine.

  2. Protect data-at-rest:

    1. Use volume encryption (e.g., Bitlocker).

    2. Manage access to database dumps and backups. Refer to Back up an offline database and backups Back up an online database for more information.

    3. Manage access to configuration files, data files, and transaction logs by ensuring the correct file permissions on the Neo4j files. Refer to File permissions for instructions on permission levels.

  3. Protect data-in-transit:

    1. For remote access to the Neo4j database, only use encrypted Bolt or HTTPS.

    2. Use SSL certificates issued from a trusted Certificate Authority.

    3. For configuring your Neo4j installation to use encrypted communication, refer to SSL framework.

    4. If using clustering, configure and use encryption for intra-cluster communication. For details, see Intra-cluster encryption.

    5. If using clustering, configure and use encryption for backups. This ensures that only servers with the specified SSL policy and SSL certificates can access the server and perform the backup.

    6. For configuring your Bolt and HTTPS connectors, refer to Configure connectors.

    7. If using LDAP, configure your LDAP system with encryption via StartTLS. For more information, see Use LDAP with encryption via StartTLS.

  4. Be on top of the security for custom extensions:

    1. Validate any custom code you deploy (procedures and unmanaged extensions) and ensure that they do not unintentionally expose any parts of the product or data.

    2. Survey the settings dbms.security.procedures.unrestricted and dbms.security.procedures.allowlist to ensure that they exclusively contain intentionally exposed extensions.

  5. Make sure you have the correct file permissions on the Neo4j files.

  6. Protect against the execution of unauthorized extensions by restricting access to the bin, lib, and plugins directories. Only the operating system user that Neo4j runs as should have permissions to those files. Refer to File permissions for instructions on permission levels.

  7. With LOAD CSV enabled, ensure that it does not allow unauthorized users to import data. How to configure LOAD CSV is described in Cypher Manual → LOAD CSV.

  8. Use Neo4j authentication. The setting dbms.security.auth_enabled controls native authentication. The default value is true.

  9. Survey your JVM-specific configuration settings in the neo4j.conf file for ports relating to deprecated functions, such as remote JMX (controlled by the parameter setting dbms.jvm.additional=-Dcom.sun.management.jmxremote.port=3637).

  10. Review Browser credentials handling to determine whether the default credentials handling in Neo4j Browser complies with your security regulations. Follow the instructions to configure it if necessary.

  11. Use the latest patch version of Neo4j and set up a process to update it when security advisories are published.