Is it possible to disable GraphQL introspection on production?

default discord avatar
svn__11 months ago

Hey, as in the title, is there any configuration flag that allows to disable GraphQL introspection or restrict access to the graphql endpoint to authorized requests only?

  • default discord avatar
    zsazsagabonk11 months ago

    Hi! Set

    graphQL: {disable: true}

    in your payload.config.ts file to totally disable graphQL
  • default discord avatar
    svn__11 months ago

    Hmm, but as far as I understood it disables GraphQL completly. I still want to use it, just don’t want to make it accessible without authorization. My only idea for now was to use the Express middleware but maybe there is an easier way?

    I secured it with express.postMiddleware, I'm not sure if this is the best approach, but it seems to work well:

    export const secureGraphQLIntrospection = (req: PayloadRequest, res: Response, next: NextFunction) => {
      const isGqlPath = req.path === '/graphql';
      if (isGqlPath) {
        const query = isObject(req.body) ? req.body.query : null;
        const isIntrospectionQuery = typeof query === 'string' && query.includes('__schema');
        if (isIntrospectionQuery && !req.user) {
          return res.status(403).json({ error: 'Introspection queries are not allowed' });
Star on GitHub


Chat on Discord



Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.