Skip to content

Add native support for disabling GraphQL introspection #1418

@TimHaerkens

Description

@TimHaerkens

Goes along with statamic/cms#13880

Statamic uses rebing/graphql-laravel under the hood, which supports disabling introspection via graphql.security.disable_introspection. However, Statamic's config/statamic/graphql.php does not expose this setting.

Currently, users must either call config() manually in their AppServiceProvider or publish the full config/graphql.php from the rebing package (which breaks Statamic's auto-configuration of the GraphQL schema). Neither is ideal, and introspection enabled in production is a known security concern.

Proposed solution: Add a security.disable_introspection option to config/statamic/graphql.php, controllable via a STATAMIC_GRAPHQL_INTROSPECTION_DISABLED env variable, and forward it to the rebing config in the existing ServiceProvider boot logic.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions