Block Introspection
Introspection in GraphQL is a way for clients to retrieve information about the available types, fields, and queries in a GraphQL API. This can be a security concern, as it provides a blueprint of the API that could be exploited by malicious actors. Blocking introspection is a feature that allows GraphQL API providers to disable this kind of introspection functionality. Organizations may want to use introspection internally but block it in production. Stellate offers a simple way to automatically block introspection at the edge.
The following image illustrates an example of the use of queryIntrospection for a GraphQL query.
You can use the Block Introspection feature to prevent third-party actors from accessing of this kind of information.
Blocking Introspection Benefits
- Improved security: Blocking introspection makes it more difficult for malicious actors to gather information about the API, reducing the risk of attacks.
- Maintain control over API access: Blocking introspection allows API providers to have more control over how their API is accessed and used.
- Error messages: When an introspection query is blocked, the feature returns an error message to the client, providing information about the reason for the block.
Add Blocking Introspection
To configure the blocking introspection feature, API providers need to configure it in their Stellate configuration file. To do this:
- Go to your Stellate > Services > Your Service > Config.
- In the Stellate Config File, add the following line:
blockIntrospection: true,
- Save your change.
Once this is done, any attempts to make introspection queries will be blocked, and an error message will be returned.
About Blocking and Cache Introspection
Stellate includes a "cache introspection" option, which allows API providers to cache introspection queries instead of blocking them. However, Blocking Introspection and Cache Introspection are mutually exclusive. If you have cacheIntrospection set to true, as shown in the following image, you need to remove the line or set it to false.
If you try to set both to true, you will get the following type of error message:
