graphql-disable-introspection

graphql-disable-introspection

Disable introspection queries in GraphQL with a simple validation rule. Queries that contain __schema or __type will fail validation with this rule. For example, the following queries will be rejected:

query {
  __schema {
    queryType {
      name
    }
  }
}

query {
  __type(name: "Query") {
    description
    fields {
      name
    }
  }
}

Usage

The package can be installed from npm

npm install -save graphql-disable-introspection

It exports a single validation rule which you can pass to your node GraphQL server with the validationRules argument.

Here's an example for graphql-server-express:

import express from 'express';
import bodyParser from 'body-parser';
import { graphqlExpress } from 'graphql-server-express';
+ import NoIntrospection from 'graphql-disable-introspection';

const myGraphQLSchema = // ... define or import your schema here!
const PORT = 3000;

var app = express();

// bodyParser is needed just for POST.
app.use('/graphql', bodyParser.json(), graphqlExpress({
   schema: myGraphQLSchema,
+  validationRules: [NoIntrospection]
}));

app.listen(PORT);

If you're using express-graphql, it works exactly the same way:

app.use('/graphql', graphqlHTTP({
  schema: MyGraphQLSchema,
+ validationRules: [NoIntrospection]
}));