GraphQL Introspection Enabled in Production
GraphQL introspection is left enabled in production, allowing anyone to query the complete schema and discover all types, fields, mutations, and their argument structures.
How It Works
Introspection is GraphQL's built-in schema discovery feature — essential for development tooling. In production, it gives attackers a complete blueprint of your data model. They learn every type name, field name, relationship, and what mutations exist. This dramatically accelerates finding authorization bypasses and sensitive field leaks.
// BAD: default Apollo Server config has introspection enabled
const server = new ApolloServer({
typeDefs,
resolvers,
// introspection: true by default in non-production... but check your setup
});// GOOD: explicitly disable introspection in production
const server = new ApolloServer({
typeDefs,
resolvers,
introspection: process.env.NODE_ENV !== 'production',
// Also consider disabling playground in production
plugins: [process.env.NODE_ENV === 'production' && ApolloServerPluginLandingPageDisabled()].filter(Boolean)
});Real-World Example
Security researchers routinely run introspection queries as the first step when testing GraphQL APIs. With the schema in hand, automated tools can generate all possible queries and mutations to test for authorization issues. Shopify's API security team specifically recommends disabling introspection in production.
How to Prevent It
- Set introspection: false in Apollo Server or your GraphQL framework for production
- Also disable the GraphQL playground/sandbox in production
- If you need schema access for clients, provide a manually curated docs page instead
- Test by sending an introspection query to your production endpoint: {__schema{types{name}}}
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
API Documentation Exposed in Production
lowSwagger UI, ReDoc, or other API documentation interfaces publicly accessible in production, giving attackers a free interactive map of every endpoint, parameter, and authentication method.
GraphQL Without Query Depth Limit
mediumGraphQL API with no depth limit on nested queries, allowing attackers to craft deeply nested queries that exhaust server resources and cause denial of service.
GraphQL Batching Attack
mediumGraphQL endpoints accepting arrays of operations without size limits, enabling attackers to bypass rate limiting by bundling thousands of requests into a single HTTP call.
Excessive Data Exposure
mediumAPI endpoints returning full database objects with sensitive fields instead of only the fields the client actually needs, exposing password hashes, internal IDs, admin flags, and other sensitive data.