skip to main content

๐Ÿšง Disable the introspection of the GraphQL Schema

For security reasons, once the application is released it is advisable to disable the ability to perform GraphQL Schema introspection.

When the GraphQL introspection is enabled, it is possible to query a GraphQL server for information about the underlying schema. Types, fields, queries, and mutations can all be discovered by external users, potentially exposing the entire GraphQL Schema of the application. This leaves the application vulnerable to a variety of security issues. Therefore, while GraphQL introspection can be extremely useful as a discovery and diagnostic tool during the development of the application, it is highly advisable to disable this function on the Cloudlets in the production environment.

From the Dashboard, clicking on the icon on the Cloudlet panel header provides access to the API & Public Urls panel.

Disable GraphQL Introspection

In this panel there is a button next to the text Enable introspection. If you havenโ€™t made any changes, the button is green and is in the On state, because GraphQL Schema introspection is enabled by default.

To disable GraphQL introspection, click on the button by moving it to Off as shown in the image below.

Disable GraphQL Introspection