Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.information-exposure

Avoid unconditional GraphQL introspection

Apollo Server should not hard-enable introspection without environment guards.

#Metadata

Rule ID
ts.security.apollo-server-introspection-exposure
Severity
medium
Confidence
0.84
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
experimental
Applies to
block
Tags
apollo, graphql, rules-catalog, security

#Why it matters

Introspection aids attackers in mapping schemas on production deployments.

#Remediation

Bind introspection to non-production environments or protect the endpoint behind authenticated tooling.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.apollo-server-introspection-exposure.rule.yaml.

Back to directoryOpen rule in repository