GraphQL Introspection can't be disabled #4571
Replies: 2 comments 1 reply
-
|
Hey @JulianAtTheFrontend — while disabling GraphQL introspection does indeed expose the full schema, you can get it via a variety of other ways even if introspection is disabled. Take a look here: https://escape.tech/blog/should-i-disable-introspection-in-graphql/ But I would agree that we could enable a flag to restrict introspection. It looks to me like this package could work: https://www.npmjs.com/package/graphql-disable-introspection So I think maybe the move is to just allow for custom What do you think about this? In the end, I don't think this is truly a bug though - so I'll switch it over to our roadmap. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, I agree - in the end it makes sense to disable both: introspection and field suggestions. Even though there might be more (and more complicated) ways to still get the full schema I would personally disable introspection and field suggestions to add two small layers of security to my backend. It always depends on the use case but I guess there are some cases where it really makes sense. |
Beta Was this translation helpful? Give feedback.
-
|
Correct me if I'm wrong, please. Custom |
Beta Was this translation helpful? Give feedback.
-
Link to reproduction
No response
Describe the Bug
Currently there is no way to disable GraphQL introspection and I'd rather call it a bug than a feature request as it exposes the complete schema without any restrictions. Ideally I'd even like to apply an access rule e.g. to still fetch it for development of a headless frontend.
To Reproduce
Just enable graphQL and try to retreive the schema with @graphql-codegen/cli
Payload Version
2.0.11
Adapters and Plugins
No response
Beta Was this translation helpful? Give feedback.
All reactions