This section provides a summary of recommendations regarding security in Neo4j.
Below is a simple checklist highlighting the specific areas within Neo4j that may need some extra attention in order to ensure
the appropriate level of security for your application.
Deploy Neo4j on safe servers in safe networks:
- Use subnets and firewalls.
Only open up for the necessary ports.
For a list of relevant ports see Section 4.3, “Ports”.
In particular, ensure that there is no external access to the port specified by the setting
Failing to protect this port may leave a security hole open by which an unauthorized user can make a copy of the database
onto a different machine.
- For remote access to the Neo4j database, only open up for encrypted Bolt or HTTPS.
Use SSL certificates issued from a trusted Certificate Authority.
- For configuring your Neo4j installation to use encrypted communication, refer to Section 9.2, “SSL framework”.
- If using Causal Clustering, configure and use encryption for intra-cluster communication.
For details, see Section 5.4, “Intra-cluster encryption”.
- If using Causal Clustering, configure and use encryption for backups.
This ensures that only servers with the specified SSL policy and SSL certificates will be able to access the server and perform
- For configuring your Bolt and/or HTTPS connectors, refer to Section 4.7, “Configure connectors”.
- If using LDAP, configure your LDAP system with encryption via StartTLS; see Section 126.96.36.199, “Use LDAP with encryption via StartTLS”.
Be on top of the security for custom extensions:
- Ensure the correct file permissions on the Neo4j files.
- Protect against the execution of unauthorized extensions by restricting access to the bin, lib, and plugins directories.
Only the operating system user that Neo4j runs as should have permissions to those files.
Refer to Section 4.2.3, “File permissions” for instructions on permission levels.
LOAD CSV is enabled, ensure that it does not allow unauthorized users to import data.
How to configure
LOAD CSV is described in Cypher Manual →
- Do not turn off Neo4j authentication.
Refer to Section 8.3, “Configuration” for details on this setting.
- Survey your neo4j.conf file for ports relating to deprecated functions such as remote JMX (controlled by the parameter setting
- Review Section 9.3, “Browser credentials handling” to determine whether the default credentials handling in Neo4j Browser complies with your security regulations.
Follow the instructions to configure it if necessary.
- Use the latest patch version of Neo4j.