How to Disable Introspection in Production in GraphQL
To disable
introspection in production in GraphQL, you can add a validation rule that blocks introspection queries based on the environment. This is typically done by checking if the query contains introspection fields and rejecting it when running in production mode.Syntax
To disable introspection, you add a validation rule to your GraphQL server configuration that checks for introspection queries and rejects them in production.
Key parts:
validationRules: Array of rules to validate queries.NoSchemaIntrospectionCustomRule: A built-in rule that blocks introspection queries.- Environment check to apply the rule only in production.
javascript
const { ApolloServer } = require('apollo-server'); const { NoSchemaIntrospectionCustomRule } = require('graphql'); const server = new ApolloServer({ typeDefs, resolvers, validationRules: process.env.NODE_ENV === 'production' ? [NoSchemaIntrospectionCustomRule] : [] });
Example
This example shows how to disable introspection queries in production using Apollo Server. When NODE_ENV is set to production, introspection queries are blocked and return an error.
javascript
const { ApolloServer, gql } = require('apollo-server'); const { NoSchemaIntrospectionCustomRule } = require('graphql'); const typeDefs = gql` type Query { hello: String } `; const resolvers = { Query: { hello: () => 'Hello world!' } }; const server = new ApolloServer({ typeDefs, resolvers, validationRules: process.env.NODE_ENV === 'production' ? [NoSchemaIntrospectionCustomRule] : [] }); server.listen().then(({ url }) => { console.log(`Server ready at ${url}`); });
Output
Server ready at http://localhost:4000/
Common Pitfalls
Common mistakes when disabling introspection include:
- Not checking the environment, which blocks introspection even in development.
- Forgetting to import or use the correct validation rule.
- Blocking introspection but not handling errors gracefully on the client side.
Always test your server in both development and production modes to ensure expected behavior.
javascript
/* Wrong: Blocking introspection always, even in development */ const serverWrong = new ApolloServer({ typeDefs, resolvers, validationRules: [NoSchemaIntrospectionCustomRule] }); /* Right: Block introspection only in production */ const serverRight = new ApolloServer({ typeDefs, resolvers, validationRules: process.env.NODE_ENV === 'production' ? [NoSchemaIntrospectionCustomRule] : [] });
Quick Reference
- Use
NoSchemaIntrospectionCustomRuleto block introspection queries. - Apply the rule conditionally based on environment (e.g.,
NODE_ENV). - Test introspection queries in development to keep schema exploration.
- Handle errors on clients gracefully when introspection is disabled.
Key Takeaways
Disable introspection in production by adding a validation rule like NoSchemaIntrospectionCustomRule.
Check the environment variable to apply introspection blocking only in production.
Keep introspection enabled in development for easier debugging and schema exploration.
Test your GraphQL server behavior in both development and production environments.
Handle errors gracefully on clients when introspection is disabled.