adding health warning about insecure protocols for LOAD CSV #1006
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OliviaYtterbrink
approved these changes
Jul 19, 2024
| @@ -90,6 +90,12 @@ You can import data from a CSV file hosted on a remote path. | |||
| `LOAD CSV` supports accessing CSV files via HTTPS, HTTP, and FTP (with or without credentials). | |||
| It also follows redirects, except those changing the protocol (for security reasons). | |||
|
|
|||
| [IMPORTANT] | |||
| ==== | |||
| It is strongly recommended to only allow secure protocols like HTTPS in favour of allowing insecure protocols like HTTP. If allowing an insecure protocol is completely unavoidable, then Neo4j internally takes some measures to make these requests as secure as possible within their limitations. However, this means that insecure URLs which are located somewhere which uses virtual hosting will not work. The only way to load an insecure resource from a virtually hosted URL is to add the JVM argument `-Dsun.net.http.allowRestrictedHeaders=true` to the link:{neo4j-docs-base-uri}/operations-manual/{page-version}/configuration/configuration-settings/#config_server.jvm.additional/[jvm.additional] config setting. For the sake of security, it is strongly recommended that this be avoided at all cost and that you only permit loading of resources over secure protocols. This can be achieved by limiting link:{neo4j-docs-base-uri}/operations-manual/{page-version}/authentication-authorization/load-privileges/#access-control-load-cidr/[load privileges] to trusted sources that use secure protocols. | |||
There was a problem hiding this comment.
Suggested change
| It is strongly recommended to only allow secure protocols like HTTPS in favour of allowing insecure protocols like HTTP. If allowing an insecure protocol is completely unavoidable, then Neo4j internally takes some measures to make these requests as secure as possible within their limitations. However, this means that insecure URLs which are located somewhere which uses virtual hosting will not work. The only way to load an insecure resource from a virtually hosted URL is to add the JVM argument `-Dsun.net.http.allowRestrictedHeaders=true` to the link:{neo4j-docs-base-uri}/operations-manual/{page-version}/configuration/configuration-settings/#config_server.jvm.additional/[jvm.additional] config setting. For the sake of security, it is strongly recommended that this be avoided at all cost and that you only permit loading of resources over secure protocols. This can be achieved by limiting link:{neo4j-docs-base-uri}/operations-manual/{page-version}/authentication-authorization/load-privileges/#access-control-load-cidr/[load privileges] to trusted sources that use secure protocols. | |
| It is strongly recommended to permit resource loading only over secure protocols such as HTTPS instead of insecure protocols like HTTP by limiting the link:{neo4j-docs-base-uri}/operations-manual/{page-version}/authentication-authorization/load-privileges/#access-control-load-cidr/[load privileges] to trusted sources that use such protocols and avoid using resources from untrusted sources. | |
| If allowing an insecure protocol is absolutely unavoidable, Neo4j has internal measures to enhance the security of these requests within their limitations. | |
| However, this means that insecure URLs on virtual hosts will not function unless you add the JVM argument `-Dsun.net.http.allowRestrictedHeaders=true` to the configuration setting link:{neo4j-docs-base-uri}/operations-manual/{page-version}/configuration/configuration-settings/#config_server.jvm.additional/[jvm.additional]. |
There was a problem hiding this comment.
How about this wording?
phil198
commented
Jul 24, 2024
Co-authored-by: Phil Wright <[email protected]>
|
Thanks for the documentation updates. The preview documentation has now been torn down - reopening this PR will republish it. |
This was referenced Aug 12, 2024
renetapopova
added a commit
to neo4j/docs-operations
that referenced
this pull request
Aug 12, 2024
adds a warning against allowing insecure protocols for `LOAD CSV` this PR is the operations manual copy of the [cypher manual equivalent](neo4j/docs-cypher#1006) --------- Co-authored-by: Reneta Popova <[email protected]>
NataliaIvakina
pushed a commit
to NataliaIvakina/docs-operations
that referenced
this pull request
Aug 22, 2024
adds a warning against allowing insecure protocols for `LOAD CSV` this PR is the operations manual copy of the [cypher manual equivalent](neo4j/docs-cypher#1006) --------- Co-authored-by: Reneta Popova <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
adds a warning against allowing insecure protocols for
LOAD CSVthis PR is the docs counterpart to https://github.com/neo-technology/neo4j/pull/26403
I will add a duplicate warning to
https://neo4j.com/docs/cypher-manual/current/clauses/load-csv/
https://neo4j.com/docs/operations-manual/5/authentication-authorization/load-privileges/
and possibly
https://neo4j.com/docs/getting-started/data-import/csv-import/
once the wording of this one is finalised.