Skip to main content

GraphQL Disable Introspection

Disables introspection queries on your API. This is useful in production to prevent attackers from learning about your API. You can still keep introspection enabled for any request not going through Zuplo.


The configuration shows how to configure the policy in the 'policies.json' document.

"name": "my-graphql-disable-introspection-inbound-policy",
"policyType": "graphql-disable-introspection-inbound",
"handler": {
"export": "GraphQLDisableIntrospectionInboundPolicy",
"module": "$import(@zuplo/runtime)",
"options": {}
  • name the name of your policy instance. This is used as a reference in your routes.
  • policyType the identifier of the policy. This is used by the Zuplo UI. Value should be graphql-disable-introspection-inbound.
  • handler/export The name of the exported type. Value should be GraphQLDisableIntrospectionInboundPolicy.
  • handler/module the module containing the policy. Value should be $import(@zuplo/runtime).
  • handler/options The options for this policy:

    GraphQL Disable Introspection

    This policy allows you to disable introspection queries on your API. Any introspection query will be blocked with a 403 Forbidden response.

    Read more about how policies work