adding health warning about insecure protocols for LOAD CSV (#1006)

adds a warning against allowing insecure protocols for `LOAD CSV` this PR is the docs counterpart to neo-technology/neo4j#26403 I will add a duplicate warning to https://neo4j.com/docs/cypher-manual/current/clauses/load-csv/ https://neo4j.com/docs/operations-manual/5/authentication-authorization/load-privileges/ and possibly https://neo4j.com/docs/getting-started/data-import/csv-import/ once the wording of this one is finalised. --------- Co-authored-by: Jens Pryce-Åklundh <[email protected]>
neo4j · Aug 12, 2024 · 79cbee9 · 79cbee9
1 parent 21d63cc
commit 79cbee9
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/modules/ROOT/pages/clauses/load-csv.adoc b/modules/ROOT/pages/clauses/load-csv.adoc
@@ -90,6 +90,15 @@ You can import data from a CSV file hosted on a remote path.
 `LOAD CSV` supports accessing CSV files via HTTPS, HTTP, and FTP (with or without credentials).
 It also follows redirects, except those changing the protocol (for security reasons).
 
+[IMPORTANT]
+====
+It is strongly recommended to permit resource loading only over secure protocols such as HTTPS instead of insecure protocols like HTTP. 
+This can be done by limiting the link:{neo4j-docs-base-uri}/operations-manual/{page-version}/authentication-authorization/load-privileges/#access-control-load-cidr/[load privileges] to only trusted sources that use secure protocols. 
+If allowing an insecure protocol is absolutely unavoidable, Neo4j takes measures internally to enhance the security of these requests within their limitations. 
+However, this means that insecure URLs on virtual hosts will not function unless you add the JVM argument `-Dsun.net.http.allowRestrictedHeaders=true` to the configuration setting link:{neo4j-docs-base-uri}/operations-manual/{page-version}/configuration/configuration-settings/#config_server.jvm.additional/[jvm.additional].
+====
+
+
 .Import artists name and year information from a remote file via HTTPS
 ====