Skip to Content
DocumentationGatewayOther FeaturesSecurityDisable Introspection

Disable Introspection

A powerful feature of GraphQL is schema introspection. This feature is used by GraphiQL for exploring the schema and also by tooling such as GraphQL Code Generator for generating type-safe client/frontend code.

GraphQL schema introspection is also a feature that allows clients to ask a GraphQL server what GraphQL features it supports (e.g. defer/stream or subscriptions).

However, you may want to not expose your schema to the outside world. You can disable schema introspection with the disableIntrospection option.

gateway.config.ts
import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  disableIntrospection: {
    disableIf: () => true
  }
})
💡

If your goal is to avoid unknown actors from reverse-engineering your GraphQL schema and executing arbitrary operations, it is highly recommended to use persisted operations.

Disable Introspection based on the GraphQL Request

Sometimes you want to allow introspectition for certain users. You can access the Request object and determine based on that whether introspection should be enabled or not. E.g. you can check the headers.

gateway.config.ts
import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  disableIntrospection: {
    disableIf: ({ context }) => {
      return context.request.headers.get('x-allow-introspection') !== 'secret-access-key'
    }
  }
})

Blocking Field Suggestions

When executing invalid GraphQL operation the GraphQL engine will try to construct smart suggestions that hint typos in the executed GraphQL document. This can be considered a security issue, as it can leak information about the GraphQL schema, even if introspection is disabled.

Tools like Clairvoyance can exploit the smart suggestions and brute-force obtaining the GraphQL schema even if the introspection has been disabled.

Enabling the blockFieldSuggestions option will disable these smart suggestions and therefore prevent schema leaking.

Combined with the disableIntrospection option, you can make your schema more secure.

gateway.config.ts
import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  disableIntrospection: {
    disableIf: () => true
  },
  blockFieldSuggestions: true
})
Last updated on
Demand ControlHTTPS