Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlogGuides & Tutorials
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Is it possible to disable GraphQL introspection on production?

default discord avatar
svn__last year
5

Hey, as in the title, is there any configuration flag that allows to disable GraphQL introspection or restrict access to the graphql endpoint to authorized requests only?

  • default discord avatar
    zsazsagabonklast year

    Hi! Set

    graphQL: {disable: true}

    in your payload.config.ts file to totally disable graphQL



    https://payloadcms.com/docs/graphql/overview
  • default discord avatar
    svn__last year

    Hmm, but as far as I understood it disables GraphQL completly. I still want to use it, just don’t want to make it accessible without authorization. My only idea for now was to use the Express middleware but maybe there is an easier way?



    I secured it with express.postMiddleware, I'm not sure if this is the best approach, but it seems to work well:



    export const secureGraphQLIntrospection = (req: PayloadRequest, res: Response, next: NextFunction) => {
  const isGqlPath = req.path === '/graphql';

  if (isGqlPath) {
    const query = isObject(req.body) ? req.body.query : null;
    const isIntrospectionQuery = typeof query === 'string' && query.includes('__schema');
    if (isIntrospectionQuery && !req.user) {
      return res.status(403).json({ error: 'Introspection queries are not allowed' });
    }
  }

  next();
};
  • default discord avatar
    tlmader2 weeks ago
    @545926768327131137

    have you found a better solution for this?

  • default discord avatar
    svn__2 weeks ago

    Hey, unfortunately not :/ This comment might be helpful to decide if it's worth implementing:

    https://github.com/payloadcms/payload/discussions/4571#discussioncomment-7908645
  • default discord avatar
    tlmader2 weeks ago

    I'm going to give this a try:

    https://www.npmjs.com/package/graphql-disable-introspection

    thanks!

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.