GraphQL Security

GraphQL's flexibility — arbitrary queries, nested traversal, batched operations — creates attack surfaces that don't exist in REST. Each must be explicitly mitigated.

1. Disable Introspection in Production

Introspection exposes the full schema: every type, field, mutation, and their relationships. It's a free recon tool for attackers.

// Apollo Server
new ApolloServer({
  introspection: process.env.NODE_ENV !== 'production',
});

// GraphQL Yoga / envelop
import { useDisableIntrospection } from '@envelop/disable-introspection';
plugins: [useDisableIntrospection()];