cancel
Showing results for 
Search instead for 
Did you mean: 

How to disable http OPTIONS method in neo4j?

Hello all, 

I am currently using neo4j version 4.3.10, I would like to know if it is possible to disable http OPTIONS method as one of our customer has raised as a security vulnerability.

4 REPLIES 4

koji
Ninja
Ninja

Hi @krishnan_pb 

I'm not sure what OPTIONS means, but to disable http itself, you would set "dbms.connector.http.enabled" in the neo4j.conf. For modules, you would set "dbms.http_enabled_modules".

* dbms.connector.https.enabled (in conf/neo4j.conf)

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=false
#dbms.connector.http.listen_address=:7474
#dbms.connector.http.advertised_address=:7474

# HTTPS Connector. There can be zero or one HTTPS connectors.
dbms.connector.https.enabled=false
#dbms.connector.https.listen_address=:7473
#dbms.connector.https.advertised_address=:7473

* dbms.http_enabled_modules (in conf/neo4j.conf)

https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/

Hi Koji,

I am talking about HTTP OPTIONS method, similar to GET/PUT etc.

pa@MBPKPA1 ~ % curl -i -X OPTIONS http://localhost:7474          

HTTP/1.1 200 OK

Date: Thu, 18 Aug 2022 00:06:09 GMT

Access-Control-Allow-Origin: *

Content-Type: text/plain

Allow: HEAD,GET,OPTIONS

Content-Length: 18

Hi @krishnan_pb 

You can change the "dbms.connector.http.enabled" from true to false.

From

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=true

To

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=false


 

This will disable complete http access. I am looking for a way to disable a specific method like 'PUT', 'POST' or 'OPTIONS'.