Skip to content

Introspection query policy
Compare
Choose a tag to compare
@thewizarodofoz thewizarodofoz released this 04 Aug 06:19
· 15 commits to master since this release
v1.2.0
006708d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Currently stitch exposes GRAPHQL_INTROSPECTION with a default of true.
Enabling the introspection query in production is a security vulnerability in some use cases, so we want to control access to the introspection query using a policy instead.

This change adds the introspectionQueryPolicy resource type, which can be added same to the base policy via cli or the registry graphql gateway.

If the introspection query is not provided, it will be allowed by default (assuming GRAPHQL_INTROSPECTION is true).

Assets 2
Loading