Fix guide · high · graphql_introspection_enabled
GraphQL introspection enabled in production
What this rule means
A POST to /graphql (or /api/graphql) with the __schema query returned the full schema.
Why it matters
Attackers learn every type, every field, every query, every mutation, and every parameter your API accepts — including admin endpoints meant to be hidden.
How to fix it
- Disable introspection in production:
- Apollo:
introspection: process.env.NODE_ENV !== 'production' - Yoga:
useDisableIntrospection() - Hasura: set
HASURA_GRAPHQL_ENABLE_DISABLE_PUBLIC_INTROSPECTION
- Don't rely on schema hiding alone — auth checks on every resolver are the real protection.
Did vibecheck flag this on your app?
If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.
Run another inspection