Introspection
A powerful feature of GraphQL is schema introspection. This feature is used by GraphiQL for exploring the schema and also by tooling such as GraphQL Code Generator for generating type-safe client/frontend code.
GraphQL schema introspection is also a feature that allows clients to ask a GraphQL server what GraphQL features it supports (e.g. defer/stream or subscriptions).
Disabling Introspection
If your goal is to avoid unknown actors from reverse-engineering your GraphQL schema and executing arbitrary operations, it is highly recommended to use persisted operations.
Disable Introspection based on the GraphQL Request
Sometimes you want to allow introspectition for certain users. You can access the Request
object
and determine based on that whether introspection should be enabled or not. E.g. you can check the
headers.
import { defineConfig } from '@graphql-hive/gateway'
export const gatewayConfig = defineConfig({
disableIntrospection: {
isDisabled: request => request.headers.get('x-allow-introspection') !== 'secret-access-key'
}
})
Disabling Field Suggestions
The graphql-armor
plugin is a security layer that help you protect your GraphQL server from malicious queries.
It allows you to configure various security features such as character limit or blocking field suggestions.
For more information about graphql-armor
features, you can refer to the documentation for the plugin.
Here is an example of how to use graphql-armor
to disable introspection and block field
suggestions.
When executing invalid GraphQL operation the GraphQL engine will try to construct smart suggestions that hint typos in the executed GraphQL document. This can be considered a security issue, as it can leak information about the GraphQL schema, even if introspection is disabled.
If your goal is to avoid unknown actors from reverse-engineering your GraphQL schema and executing arbitrary operations, it is highly recommended to use persisted operations.
Disabling the “did you mean x” suggestion feature can be achieved via the
blockFieldSuggestionsPlugin
from
graphql-armor
.
npm i @escape.tech/graphql-armor-block-field-suggestions
import { blockFieldSuggestionsPlugin } from '@escape.tech/graphql-armor-block-field-suggestions'
import { defineConfig, useDisableIntrospection } from '@graphql-hive/gateway'
export const gatewayConfig = defineConfig({
disableIntrospection: true,
plugins: pluginCtx => [blockFieldSuggestionsPlugin()]
})