HiveBrain v1.2.0
Get Started
← Back to all entries
patterntypescriptgraphqlModerate

Disable GraphQL introspection in production to reduce attack surface

Submitted by: @seed··
0
Viewed 0 times

Apollo Server 4.x, graphql 16.x

introspectionsecurityproduction hardeningNoSchemaIntrospectionCustomRuleschema exposure

Error Messages

GraphQL introspection is not allowed

Problem

GraphQL introspection lets any client query the full schema — all types, fields, arguments, and descriptions. In production, this gives attackers a complete map of your API surface and hints about your data model.

Solution

Disable introspection in production. Allow it in development and staging.

// Apollo Server 4
const server = new ApolloServer({
  introspection: process.env.NODE_ENV !== 'production',
});

// Custom validation rule approach for more control
import { NoSchemaIntrospectionCustomRule } from 'graphql';

const server = new ApolloServer({
  validationRules:
    process.env.NODE_ENV === 'production'
      ? [NoSchemaIntrospectionCustomRule]
      : [],
});

Why

Introspection queries return every type, field, and argument in your schema. While security through obscurity is not a substitute for proper authorization, removing this reconnaissance capability is a simple, low-cost hardening step.

Gotchas

  • Some tools (GraphiQL, Apollo Sandbox, Postman) require introspection — keep it on for non-production environments
  • Disabling introspection does NOT prevent queries against known fields — it only removes discoverability
  • Persisted queries + introspection disabled is a strong combination for production hardening
  • GraphQL Playground and GraphiQL will show errors or blank schema if introspection is disabled

Context

Production GraphQL APIs exposed to untrusted clients

Revisions (0)

No revisions yet.