cancel
Showing results for 
Search instead for 
Did you mean: 

How to disable http OPTIONS method in neo4j?

Hello all, 

I am currently using neo4j version 4.3.10, I would like to know if it is possible to disable http OPTIONS method as one of our customer has raised as a security vulnerability.

4 REPLIES 4

koji
Ninja
Ninja

Hi @krishnan_pb 

I'm not sure what OPTIONS means, but to disable http itself, you would set "dbms.connector.http.enabled" in the neo4j.conf. For modules, you would set "dbms.http_enabled_modules".

* dbms.connector.https.enabled (in conf/neo4j.conf)

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=false
#dbms.connector.http.listen_address=:7474
#dbms.connector.http.advertised_address=:7474

# HTTPS Connector. There can be zero or one HTTPS connectors.
dbms.connector.https.enabled=false
#dbms.connector.https.listen_address=:7473
#dbms.connector.https.advertised_address=:7473

* dbms.http_enabled_modules (in conf/neo4j.conf)

https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/

Hi Koji,

I am talking about HTTP OPTIONS method, similar to GET/PUT etc.

pa@MBPKPA1 ~ % curl -i -X OPTIONS http://localhost:7474          

HTTP/1.1 200 OK

Date: Thu, 18 Aug 2022 00:06:09 GMT

Access-Control-Allow-Origin: *

Content-Type: text/plain

Allow: HEAD,GET,OPTIONS

Content-Length: 18

Hi @krishnan_pb 

You can change the "dbms.connector.http.enabled" from true to false.

From

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=true

To

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=false


 

This will disable complete http access. I am looking for a way to disable a specific method like 'PUT', 'POST' or 'OPTIONS'.

Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

On November 16 and 17 for 24 hours across all timezones, you’ll learn about best practices for beginners and experts alike.