Configurable Introspection
As a security measure, you may wish to allow introspection of your APIs and field suggestion (”did you mean …?”) only during development and disable them in preview or production APIs.
This may be done for various reasons, including but not limited to:
- Compliance with certain regulations
- Reducing the efficiency of automated attacks
- Preventing leakage of privileged information (as a part of a schema)
- Minimizing possible attack surfaces
Today we’re releasing the ability to configure whether introspection and suggestions are enabled in grafbase.config.ts:
import { config, graph } from '@grafbase/sdk'
const g = graph.Standalone()
g.query('secret', {
returns: g.string(),
resolver: 'secret',
})
export default config({
graph: g,
introspection: false, // here we're disabling introspection completely,
// in all environments
auth: {
rules: rules => {
rules.public()
},
},
})
import { config, graph } from '@grafbase/sdk'
const g = graph.Standalone()
g.query('secret', {
returns: g.string(),
resolver: 'secret',
})
export default config({
graph: g,
introspection: process.env.GRAFBASE_ENV === 'dev', // here we're disabling introspection for all environments,
// except the local `dev` command (does not apply to `start` which is considered production)
auth: {
rules: rules => {
rules.public()
},
},
})
As seen above, you can use process.env.GRAFBASE_ENV to discriminate between environments as you wish.
process.env.GRAFBASE_ENV value for each environment:
| Environment | Value |
|---|---|
| CLI dev command | "dev" |
| CLI start command | "production" |
| Preview | "preview" |
| Production | "production" |
Introspection is enabled by default on all environments.