Zuplo
GraphQL

GraphQL Disable Introspection Policy

This is useful in production to prevent attackers from learning about your API. You can still keep introspection enabled for any request not going through Zuplo.

This policy allows you to disable introspection queries on your API. Any introspection query will be blocked with a 403 Forbidden response.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-graphql-disable-introspection-inbound-policy",
  "policyType": "graphql-disable-introspection-inbound",
  "handler": {
    "export": "GraphQLDisableIntrospectionInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {}
  }
}
json

Policy Configuration

  • name <string> - The name of your policy instance. This is used as a reference in your routes.
  • policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be graphql-disable-introspection-inbound.
  • handler.export <string> - The name of the exported type. Value should be GraphQLDisableIntrospectionInboundPolicy.
  • handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
  • handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

Using the Policy

Read more about how policies work

Archive Response to AWS S3 PolicyGraphQL Complexity Limit Policy