Skip to content
ProtocolPorts

Port reference

Port 7474 (TCP) – Neo4j HTTP / Browser

Default port for the Neo4j HTTP API and the web-based Neo4j Browser interface.

tcpRegisteredCommonly attacked

Default state

Neo4j ships with a default neo4j/neo4j login that must be changed on first use, but exposed instances on 0.0.0.0:7474 with weak or default credentials remain common.

Common attacks

  • Login with the default neo4j/neo4j credentials
  • Unauthenticated or weak-auth access to the Browser and HTTP API
  • Cypher injection from exposed application layers
  • Information disclosure of graph data via the HTTP query endpoint

Hardening

  • Change the default neo4j password immediately; enforce strong credentials
  • Bind to localhost or a private interface; never expose 7474 to the internet
  • Require TLS (prefer HTTPS on 7473) and restrict the Bolt port (7687)
  • Firewall 7474 to trusted hosts and put a reverse proxy in front if remote
  • Keep Neo4j patched and audit access

nmap snippet

nmap -p7474 --script http-title <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 7474?

Port 7474 is the default for the Neo4j HTTP API and the web-based Neo4j Browser, the interface used to run Cypher queries and administer a graph database. Developers and applications connect over 7474 to read and write nodes and relationships; the binary Bolt protocol uses 7687 and HTTPS uses 7473.

Why it matters for security

Neo4j ships with a well-known default login, neo4j/neo4j, and the Browser exposes a full query console. If 7474 is reachable with default or weak credentials, an attacker can run arbitrary Cypher to read or modify the entire graph, which often contains sensitive relationship and identity data.

How it's attacked

Attackers scan for open 7474, try the default neo4j/neo4j login, and reach the Browser or HTTP API. They run Cypher to dump the graph or tamper with data. Where Neo4j backs an application, Cypher injection can also be used to extract or alter records through the query endpoint.

Hardening checklist

Change the default neo4j password immediately and enforce strong credentials. Bind Neo4j to localhost or a private interface, require TLS (prefer HTTPS on 7473), and restrict the Bolt port 7687. Firewall 7474 to trusted hosts and place a reverse proxy in front if remote access is needed. Patch regularly and audit access. Use the nmap snippet above to detect exposed instances on hosts you are authorized to test.

Related ports

Port 7687Port 9200Port 27017Port 6379

Frequently asked questions

What is the default Neo4j login?
Neo4j ships with neo4j/neo4j and prompts for a password change on first login, but many exposed instances keep weak or default credentials. Always set a strong password before exposing 7474 or the Bolt port 7687.
Is it safe to expose the Neo4j Browser on port 7474?
No. The Browser and HTTP API allow running Cypher queries against your graph. Bind to a private interface, require TLS, change default credentials, and firewall 7474 to trusted hosts.