Fork me on GitHub
#graphql
<
2019-04-25
>
chrisulloa19:04:17

Anyone have any opinions on disabling introspection so malicious actors can't view the entire GraphQL schema you've defined?

chrisulloa19:04:41

Have an app that runs off of a graphql backend, but we've found that anyone can go in and expose the schema. There's nothing dangerous there but it exposes a lot of information we'd rather not share.

hlship21:04:51

I don't think there's any provision in Lacinia for that.

hlship21:04:46

I would consider adding an option to disable introspection; you might disable introspection in production, but not in QA/staging. But no introspection ➠ no GraphIQL.

👍 4
chrisulloa21:04:23

Oh interesting, that's what we were discussing doing, removing introspection from QA/staging but leaving it in dev. I read that GraphiQL relies heavily on introspection and won't work without it.

chrisulloa21:04:42

I have to figure out now how to go about disabling it in Lacinia.

chrisulloa21:04:27

Does lacinia take PRs for that sort of thing?