Block GraphQl introspection

I have…

  • Read the following guideline: Troubleshooting and Support | Squidex. I understand that my support request might get deleted if I do not follow the guideline.
  • Used code blocks with ``` to format my code examples like JSON or logs properly.

I’m submitting a…

  • Regression (a behavior that stopped working in a new release)
  • Bug report
  • Performance issue
  • Documentation issue or request

Current behavior

Hello.

I’m currently making changes to a website that uses Squidex as its backend. During a recent security analysis conducted by an external security team, a concern was raised regarding the GraphQL endpoint and its introspection capabilities.
They mentioned the following:

GraphQL exposed with active introspection, allowing access to the web application schema;
Public queries available, allowing the recovery of all assets through the GraphQL endpoint;
There are potentially intrusive mutations, but they have not been tested due to lack of authorization.

Here is an example of personal information that was exposed:

Is there a way to restrict or disable introspection in Squidex? What would be the recommended best practices to address this kind of exposure?

Thanks

Expected behavior

Minimal reproduction of the problem

Environment

App Name:

  • Self hosted with docker
  • Self hosted with IIS
  • Self hosted with other version
  • Cloud version

Version: [VERSION]

Browser:

  • Chrome (desktop)
  • Chrome (Android)
  • Chrome (iOS)
  • Firefox
  • Safari (desktop)
  • Safari (iOS)
  • IE
  • Edge

Others:

You are talking about two disting topics. I think for introspection and the graphql queries you have posted you need an api key, so I do not see the problem. But if you do not want to expose email addresse, users can hide in their profile.

Thank you for the explanation @Sebastian

Are you fine now or is there still something you need?