no-graphql-introspection-production
ESLint rule documentation for no-graphql-introspection-production
📡 Live from GitHub — This documentation is fetched directly from no-graphql-introspection-production.md and cached for 6 hours.
Disallow GraphQL introspection in production environments
This rule detects GraphQL servers with introspection enabled in production
Severity: 🟡 Warning
CWE: CWE-200
Rule Details
This rule detects GraphQL servers with introspection enabled in production. Introspection allows anyone to query your entire schema, revealing:
- All available queries and mutations
- Data types and relationships
- Potential attack vectors
Examples
❌ Incorrect
import { ApolloServer } from 'apollo-server-express';
// Introspection enabled (default) - VULNERABLE in production
const server = new ApolloServer({
typeDefs,
resolvers,
introspection: true,
});✅ Correct
import { ApolloServer } from 'apollo-server-express';
// Disable introspection in production - SAFE
const server = new ApolloServer({
typeDefs,
resolvers,
introspection: process.env.NODE_ENV !== 'production',
});
// Or explicitly disable
const server = new ApolloServer({
typeDefs,
resolvers,
introspection: false,
});Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow introspection in test files |
{
"rules": {
"express-security/no-graphql-introspection-production": [
"warn",
{
"allowInTests": true
}
]
}
}When Not To Use It
- Development environments where introspection aids debugging
- Internal APIs not exposed to the public
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Options from Variable
Why: Server options stored in variables are not analyzed.
// ❌ NOT DETECTED - Options from variable
const serverOpts = { introspection: true };
const server = new ApolloServer(serverOpts);Mitigation: Use inline options. Validate config at startup.
Environment Check in Variable
Why: Environment conditional stored in variable is not traced.
// ❌ NOT DETECTED - Condition in variable
const enableIntrospection = process.env.NODE_ENV !== 'production';
// Later...
const server = new ApolloServer({ introspection: enableIntrospection });Mitigation: Use inline environment check.
Non-Apollo GraphQL Servers
Why: Only Apollo Server patterns are detected by default.
// ❌ NOT DETECTED - Other GraphQL servers
import { GraphQLServer } from 'graphql-yoga';
const server = new GraphQLServer({ schema, introspection: true });Mitigation: Configure rule for other GraphQL server libraries.
Gateway/Federation Configuration
Why: Introspection in gateway configs is different.
// ❌ NOT DETECTED - Apollo Gateway
const gateway = new ApolloGateway({
introspectionHeaders: { ... } // May enable introspection indirectly
});Mitigation: Review gateway security docs. Test introspection manually.