GraphQL Introspection Control Policy
Policy Name |
GraphQL Introspection Control |
Summary |
Blocks or allows requests that access the |
Category |
Security |
First Omni Gateway version available |
v1.13.0 |
Returned status codes |
403 Forbidden — The response follows the standard GraphQL error format, including a message such as |
Summary
GraphQL servers include built-in introspection fields that allow clients to discover your API’s types and structure. Configure The GraphQL Introspection Control policy inspects incoming operations blocks requests that reference restricted fields.
Use the introspection policy to block requests to a combination of these fields:
-
__schema, used to discover the full API schema. -
__type, used to look up details for a specific type by name. -
__typename, used to read the concrete type name of an object.
Blocking __typename can affect GraphQL client libraries that rely on it for result caching.
After Omni Gateway resolves the GraphQL query, the policy evaluates the operation text. Omni Gateway doesn’t inspect the operation text for persisted queries and passes them through without introspection checks.
Configuring Policy Parameters
Omni Gateway Local Mode
When you apply the policy via declarative configuration files, Refer to the following policy definition and table of parameters:
- policyRef:
name: graphql-introspection-control-flex
config:
blockSchema: <boolean> // OPTIONAL, default: false
blockType: <boolean> // OPTIONAL, default: false
blockTypename: <boolean> // OPTIONAL, default: false
| Parameter | Required | Default Value | Description |
|---|---|---|---|
|
No |
|
If |
|
No |
|
If |
|
No |
|
If |
Managed Omni Gateway and Omni Gateway Connected Mode
When you apply the policy from the UI, the following parameters are displayed:
| Field | Description |
|---|---|
Block |
|
If enabled, Omni Gateway blocks queries that use the |
Block |
If enabled, Omni Gateway blocks queries that use the |
Block |