Disable introspection queries in GraphQL with a simple validation rule. Queries that contain
__schema or
__type will fail validation with this rule. For example, the following queries will be rejected:
query {
__schema {
queryType {
name
}
}
}
query {
__type(name: "Query") {
description
fields {
name
}
}
}
The package can be installed from npm
npm install -save graphql-disable-introspection
It exports a single validation rule which you can pass to your node GraphQL server with the
validationRules argument.
Here's an example for
graphql-server-express:
import express from 'express';
import bodyParser from 'body-parser';
import { graphqlExpress } from 'graphql-server-express';
+ import NoIntrospection from 'graphql-disable-introspection';
const myGraphQLSchema = // ... define or import your schema here!
const PORT = 3000;
var app = express();
// bodyParser is needed just for POST.
app.use('/graphql', bodyParser.json(), graphqlExpress({
schema: myGraphQLSchema,
+ validationRules: [NoIntrospection]
}));
app.listen(PORT);
If you're using
express-graphql, it works exactly the same way:
app.use('/graphql', graphqlHTTP({
schema: MyGraphQLSchema,
+ validationRules: [NoIntrospection]
}));