Skip to content

Disable GraphQL introspection

Benjie Gillam edited this page Jul 30, 2022 · 2 revisions

Install the graphql-disable-introspection package:

npm install graphql-disable-introspection

Add this as a server plugin to Postgraphile:

import {postgraphile, makePluginHook} from 'postgraphile';
import NoIntrospection                from 'graphql-disable-introspection';

const DisableIntrospectionServerPlugin = 
{
    ['postgraphile:validationRules:static'](rules)
    {
        return [...rules, NoIntrospection];
    }
};

const app = express();

app.use(
  postgraphile(
    process.env.DATABASE_URL || "postgres://user:pass@host:5432/dbname",
    "public",
    {
        pluginHook: makePluginHook([DisableIntrospectionServerPlugin])
    }
  )
);

app.listen(process.env.PORT || 3000);

Benjie's comments

I think that disabling introspection is virtually pointless; due to the way GraphQL works it's trivial to discover the fields that a client issues and from that you can build up an understanding of the GraphQL schema yourself, replicating most of what introspection gives you. It is at best security through obscurity, at worst it's a false sense of security.

If your goal is to prevent third parties issuing queries that you've not sanctioned then you should use persisted operations as an operation allow-list. (Do not confuse "persisted operations" with Apollo's "automatic persisted queries" which are not a suitable approach for this goal.) Read more here:

If your goal is to prevent your own developers (and third parties) from querying certain fields/using certain arguments/etc in your schema, then don't put those things in your schema! You can read about removing things from a PostGraphile schema here:

Stay safe out there!