Neo4j

krishnan_pb · ‎08-16-2022

Hello all,

I am currently using neo4j version 4.3.10, I would like to know if it is possible to disable http OPTIONS method as one of our customer has raised as a security vulnerability.

koji · ‎08-16-2022

Hi @krishnan_pb

I'm not sure what OPTIONS means, but to disable http itself, you would set "dbms.connector.http.enabled" in the neo4j.conf. For modules, you would set "dbms.http_enabled_modules".

* dbms.connector.https.enabled (in conf/neo4j.conf)

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=false
#dbms.connector.http.listen_address=:7474
#dbms.connector.http.advertised_address=:7474

# HTTPS Connector. There can be zero or one HTTPS connectors.
dbms.connector.https.enabled=false
#dbms.connector.https.listen_address=:7473
#dbms.connector.https.advertised_address=:7473

* dbms.http_enabled_modules (in conf/neo4j.conf)

https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/

krishnan_pb · ‎08-17-2022

Hi Koji,

I am talking about HTTP OPTIONS method, similar to GET/PUT etc.

pa@MBPKPA1 ~ % curl -i -X OPTIONS http://localhost:7474

HTTP/1.1 200 OK

Date: Thu, 18 Aug 2022 00:06:09 GMT

Access-Control-Allow-Origin: *

Content-Type: text/plain

Allow: HEAD,GET,OPTIONS

Content-Length: 18

koji · ‎08-17-2022

Hi @krishnan_pb

You can change the "dbms.connector.http.enabled" from true to false.

From

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=true

To

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=false

krishnan_pb · ‎09-02-2022

This will disable complete http access. I am looking for a way to disable a specific method like 'PUT', 'POST' or 'OPTIONS'.

Neo4j

How to disable http OPTIONS method in neo4j?