Is it possible to disable GraphQL introspection on production?

default discord avatar
svn__
last month
2

Hey, as in the title, is there any configuration flag that allows to disable GraphQL introspection or restrict access to the graphql endpoint to authorized requests only?

  • default discord avatar
    zsazsagabonk
    last month

    Hi! Set

    graphQL: {disable: true}

    in your payload.config.ts file to totally disable graphQL



    https://payloadcms.com/docs/graphql/overview
  • default discord avatar
    svn__
    last month

    Hmm, but as far as I understood it disables GraphQL completly. I still want to use it, just don’t want to make it accessible without authorization. My only idea for now was to use the Express middleware but maybe there is an easier way?



    I secured it with express.postMiddleware, I'm not sure if this is the best approach, but it seems to work well:



    export const secureGraphQLIntrospection = (req: PayloadRequest, res: Response, next: NextFunction) => {
      const isGqlPath = req.path === '/graphql';
    
      if (isGqlPath) {
        const query = isObject(req.body) ? req.body.query : null;
        const isIntrospectionQuery = typeof query === 'string' && query.includes('__schema');
        if (isIntrospectionQuery && !req.user) {
          return res.status(403).json({ error: 'Introspection queries are not allowed' });
        }
      }
    
      next();
    };
Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.