Open webard opened 2 years ago
Implementing this is quite an involved change. A quick search for suggestion
across the project reveals about a dozen places where information about the schema is leaked through suggestions.
Do you know of any GraphQL servers that make this configurable? It would be valuable to see how they implement it and what choices they made.
I am not fully convinced that we should even make this configurable. I can see the reasoning behind it, but isn't the whole idea of disabling introspection a kind of security through obscurity? Even if suggestions are turned off, the server still leaks information about which fields are available by nature of query validation. Available field names can be brute forced.
Hi, I found the tool https://graphql.security/ and one of the points is:
I think the field name suggestion option should be off by default when introspection is off, or there should be a separate setting for this.