Hi, is it possible to disable (anonymous) GraphQL Introspection? Or maybe switching the whole GraphQL API to be usable only by authenticated users?
Background
I’m trying to harden the Community Edition and one of the weak points after the audit is “the Introspection is enabled”.
I understand, that GraphQL is used extensively in the UI, so disabling the endpoint at all is not an option. Limiting the access to the authenticated users only (private server only - the SSO is enforced, no public repositories etc.).
As per the docs: GraphQL API | GitLab some queries are possible without authentication, but others do actually require authentication. I expect that the ones that do not require it are not anything that would be a security risk as such.
Either way, you cannot completely disable it by forcing everything to be via authentication. That said, it would probably be best to make a request here: Issues · GitLab.org / GitLab · GitLab for someone to perhaps integrate the possibility to force all GraphQL API queries to be via authentication or at least any made externally from the server perhaps.
1 Like
I’ve created Enhancement for this
1 Like