Secure Configuration for GraphiQL and Introspection

[rstoyanchev]

According to the OWASP cheatsheet for GraphQL, GraphiQL and introspection should not be on and accessible without authentication by default. For now simply having GraphiQL disabled by default, but beyond that we need to consider the options more broadly. How it works out of the box, how it is configured and controlled, how it relates to development mode, security settings, and so on.

[andimarek]

I must say that I don't understand why Introspection should be ever disabled. Introspection is an integral part of GraphQL and no service I know disables it. In fact there is no obvious way to do that in GraphQL Java and nobody ever asked for it afaik.

Of course you can argue you want it authenticated, which is a reasonable ask.

[rstoyanchev]

I know even less but probably applies in cases where the data is sensitive. There is a link to a real-world example that's along those lines. My best guess is it probably comes down to a convenient way to control it and what the default settings should be.

[cforce]

relates to #252

[bclozel]

I'm closing this issue as superseded by spring-projects/spring-boot#29248 as it's adressed the introspection part.
#252 and #257 are covering other aspects of this, and I'm sure other issues will point new ones.