patterntypescriptgraphqlModerate
Disable GraphQL introspection in production to reduce attack surface
Viewed 0 times
Apollo Server 4.x, graphql 16.x
introspectionsecurityproduction hardeningNoSchemaIntrospectionCustomRuleschema exposure
Error Messages
Problem
GraphQL introspection lets any client query the full schema — all types, fields, arguments, and descriptions. In production, this gives attackers a complete map of your API surface and hints about your data model.
Solution
Disable introspection in production. Allow it in development and staging.
// Apollo Server 4
const server = new ApolloServer({
introspection: process.env.NODE_ENV !== 'production',
});
// Custom validation rule approach for more control
import { NoSchemaIntrospectionCustomRule } from 'graphql';
const server = new ApolloServer({
validationRules:
process.env.NODE_ENV === 'production'
? [NoSchemaIntrospectionCustomRule]
: [],
});Why
Introspection queries return every type, field, and argument in your schema. While security through obscurity is not a substitute for proper authorization, removing this reconnaissance capability is a simple, low-cost hardening step.
Gotchas
- Some tools (GraphiQL, Apollo Sandbox, Postman) require introspection — keep it on for non-production environments
- Disabling introspection does NOT prevent queries against known fields — it only removes discoverability
- Persisted queries + introspection disabled is a strong combination for production hardening
- GraphQL Playground and GraphiQL will show errors or blank schema if introspection is disabled
Context
Production GraphQL APIs exposed to untrusted clients
Revisions (0)
No revisions yet.