Introspection
As a security measure, you may wish to allow introspection of your APIs and field suggestion (”did you mean …?”) only during development and disable them in preview or production APIs.
This may be done for various reasons, including but not limited to:
- Compliance with certain regulations
- Reducing the efficiency of automated attacks
- Preventing leakage of privileged information (as a part of a schema)
- Minimizing possible attack surfaces
To configure this feature, set the introspection field in the config() export of your grafbase.config.ts file:
import { config, graph } from '@grafbase/sdk'
const g = graph.Standalone()
g.query('secret', {
returns: g.string(),
resolver: 'secret',
})
export default config({
graph: g,
introspection: false, // here we're disabling introspection completely,
// in all environments
auth: {
rules: rules => {
rules.public()
},
},
})
Below is an additional example that allows introspection only when running the dev command:
import { config, graph } from '@grafbase/sdk'
const g = graph.Standalone()
g.query('secret', {
returns: g.string(),
resolver: 'secret',
})
export default config({
graph: g,
introspection: process.env.GRAFBASE_ENV === 'dev', // here we're disabling introspection for all environments,
// except the local `dev` command (does not apply to `start` which is considered production)
auth: {
rules: rules => {
rules.public()
},
},
})
As seen above, you can use process.env.GRAFBASE_ENV to discriminate between environments as you wish.
process.env.GRAFBASE_ENV value for each environment:
| Environment | Value |
|---|---|
| Development | "dev" |
| Preview | "preview" |
| Production | "production" |
Introspection is enabled by default on all environments.