I’ve been reading about introspection in GraphQL and with it, we can get information about the server’s available queries, types, fields, mutations and more. The question, is it necessary to disable this feature to avoid information disclosure?
It all depends on the application. On open-sourced applications like Integrates, GraphQL introspection gives no added information to an attacker than looking to the source code. On closed, proprietary applications, introspection may indeed reveal internals that may be otherwise not gathered by an attacker.
So if the application is not open-source, would it be convenient to disable this feature, for security reasons?
Or add a security layer to access it (authentication, authorization or access control). However, it also depends on whom is the expected user. If it’s anyone on Internet, it may as well be open even if it’s proprietary.
If the API is created to be documented and used by different kinds of actors, similar to a public REST API, it will be normal to have introspection enabled!