HCL Commerce Version 9.1.20.0 or later

Disabling GraphQL introspection

You can disable GraphQL introspection by overriding the GraphQL server configuration in opts.yaml and setting introspection to false. This option is provided to support customers who want to disable introspection based on their own risk assessment (introduced for HCL Commerce V9.1.20.0).

Before you begin

Ensure you have access to your GraphQL server deployment and can provide an override configuration file in /SETUP/Custom/opts.

About this task

GraphQL introspection allows a client to query the schema (types and fields) by using introspection fields such as schema and type.

The default behavior remains introspection: true for backward compatibility. When introspection: false is configured, introspection is effectively disabled and schema details are not exposed through introspection queries.

To learn more about the potential impacts of disabling introspection and how to recover if issues occur, see GraphQL introspection: potential impacts and fallback options.

For background on packaging custom extensions and custom configuration locations, see HCL Commerce GraphQL extensions and Changing GraphQL server configuration.

Procedure

  1. Obtain the default GraphQL server configuration file (opts.yaml).
    One supported approach is to extract the file from the GraphQL container image (example for Docker): 
    
                        docker create --name=temp graphql-app:latest
                        docker cp temp:/package/opts.yaml opts.yaml
                        docker rm temp

    For details on overriding the GraphQL server configuration, see Changing GraphQL server configuration.

  2. Edit opts.yaml and set to . 
    
                        introspection: false
  3. Deploy your updated configuration file as a custom override.

    Place the updated opts.yaml under /SETUP/Custom/opts. The directory /SETUP/Custom/opts should contain any custom configuration files.

    For more information about the custom extension and configuration packaging mechanism, see HCL Commerce GraphQL extensions.

  4. Restart the GraphQL server (or restart the GraphQL container/pod) to apply the updated configuration.
  5. Verify that introspection is disabled by running an introspection query and confirming schema details are not returned.
    For example, submit a query containing and confirm it is rejected or does not return schema content: 
    
                        query IntrospectionQuery {
                        __schema {
                        queryType { name }
                        mutationType { name }
                        subscriptionType { name }
                        types { name }
                        }
                        }

Results

GraphQL introspection is disabled and schema discovery through / queries is blocked.