Simplify your stack and build anything. Or everything.
Build tomorrow’s web with a modern solution you truly own.
Code-based nature means you can build on top of it to power anything.
It’s time to take back your content infrastructure.

Is it possible to disable GraphQL introspection on production?

default discord avatar
svn__last year
2

Hey, as in the title, is there any configuration flag that allows to disable GraphQL introspection or restrict access to the graphql endpoint to authorized requests only?

  • default discord avatar
    zsazsagabonklast year

    Hi! Set

    graphQL: {disable: true}

    in your payload.config.ts file to totally disable graphQL



    https://payloadcms.com/docs/graphql/overview
  • default discord avatar
    svn__last year

    Hmm, but as far as I understood it disables GraphQL completly. I still want to use it, just don’t want to make it accessible without authorization. My only idea for now was to use the Express middleware but maybe there is an easier way?



    I secured it with express.postMiddleware, I'm not sure if this is the best approach, but it seems to work well:



    export const secureGraphQLIntrospection = (req: PayloadRequest, res: Response, next: NextFunction) => {
      const isGqlPath = req.path === '/graphql';
    
      if (isGqlPath) {
        const query = isObject(req.body) ? req.body.query : null;
        const isIntrospectionQuery = typeof query === 'string' && query.includes('__schema');
        if (isIntrospectionQuery && !req.user) {
          return res.status(403).json({ error: 'Introspection queries are not allowed' });
        }
      }
    
      next();
    };
Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team..