Information Gathering / GraphQL introspection enabled

Description

Enabling GraphQL introspection can introduce potential security risks if not properly managed. GraphQL introspection allows clients to query the schema and learn about the types, fields, and operations that are available in the API. While introspection is a powerful feature for client development, it can be misused if not secured correctly.

Risk

Introspection may expose sensitive information about your API schema, which could be leveraged by attackers to understand the underlying data model and potentially discover security vulnerabilities. It allows clients to discover all available operations, which might include potentially dangerous or sensitive operations. Enabling introspection can increase the attack surface by providing attackers with additional information to craft more targeted attacks.

Solution

Disable introspection in production environments or limit its access to trusted entities. Many GraphQL implementations provide configuration options to control introspection.