Root discovery disclosing the internal IP and port of neo4j

Hi All,

We have installed the neo4j community version 4.2.3.

Currently, We are facing security issue where when we are send a GET request on / context. we are getting the internal connection detail.

[root@localhost package]# curl -XGET https://localhost:31474/
{
"bolt_routing" : "neo4j://localhost:7687",
"transaction" : "https://localhost:31474/db/{databaseName}/tx",
"bolt_direct" : "bolt://localhost:7687",
"neo4j_version" : "4.2.3",
"neo4j_edition" : "community"
}[root@localhost package]#

is there any way to solve this issue we tried the dbms.security.auth_enabled=true it is working for all the context (e.g. /db etc) but not working for / context.
After enabling the properties still without passing usrename and password we are able to get the response on / context

Thanks
Amritpal Singh

Bolt connection info (IP and port) is not something we would consider sensitive. Connection via bolt does require authentication. If you don't want to handle bolt traffic, you can turn off your bolt connector.

Additionally, you can configure what http paths are allowed vs which require authentication:

Thankyou so much Andrew. its helped me a lots.

Regards
Amritpal Singh