How to protect my GraphQL endpoint?

Hi Sebastian,

Stupid question maybe but how do I protect my GraphQL endpoint ( in Squidex?

I do not want it to be publicly accessible.

Only my front-end should be able to send requests to it.

How have you configured it in your hosted/managed Squidex service?

Why is the graphql endpoint not protected? This would be a severe bug.

Edit: I’m on Squidex 7.8.2

I did some testing and I found that if i open a new tab (blank page) in Chrome in incognito mode and paste in a fetch request in the dev tools console I get a:

(anonymous) @ VM37:1
11:39:59.620 VM37:1 Fetch failed loading: POST “”.
(anonymous) @ VM37:1
11:39:59.622 VM37:2 Uncaught TypeError: Failed to fetch
at :1:24
(anonymous) @ VM37:1

But when I open a new tab and navigate to e.g. and THEN trigger the same fetch request in the console the request is successful and I get my data back. Not the behavior I was expecting but it’s probably something built into Chrome that prevents you from executing certain JavaScript in that blank tab context :thinking:

Here’s the snippet that I use if you want to try and reproduce; modify it to your schema and then just copy paste and execute it on your Chrome devtools console:

const response = await fetch(
        method: "POST",
        headers: {
          "Content-Type": "application/json",
        body: JSON.stringify({
          query: `{
            queryBlogPostContents(filter: "data/slug/en_US eq 'a-cool-article'") {
              flatData {

    const result = await response.json();

I get a 401 in chrome console and in postman

I fixed it via Azure portal for my app service by properly configuring network settings.

But the endpoint is indeed open to the public by default.

You should probably make it so that it’s not publicly available by default.

As i said: I cannot reproduce it.

hmm okay, strange. I don’t know what else it could be :thinking:

Are you sure you do not have an anonymous client?

Hmm i checked clients but it never struck me those were also related to the graphql endpoint since graphql was added at a later stage and i dont think neither the ui or docs mention graphql in clients section. But will have a look again.

okay so it turned out to be one of my clients that I had at the bottom of the list. It had anonymous turned on. But I never thought that would impact the GraphQL endpoint, only the REST ones. Anyways now I know how it’s all related and also it forced me to check my access restriction settings in Azure that I had totally ignored for a while :crazy_face:

Thanks for pointing me into the right direction, Sebastian. You can close this one now.

1 Like