GraphiQL Explorer/Playground Enabled
Description
The GraphiQL Explorer or GraphQL Playground interface is publicly accessible in your production environment. These tools are interactive, browser-based development environments designed to help developers explore GraphQL API schemas, construct queries, test mutations, and view real-time responses. While valuable during development, these interfaces expose your complete API structure and allow anyone to execute queries against your GraphQL endpoint without authentication controls that may be enforced by your application layer.
Remediation
Immediately disable GraphiQL Explorer and GraphQL Playground in all production environments. These tools should only be enabled in local development or secured staging environments with IP-based access restrictions.
For Express.js with express-graphql:
app.use('/graphql', graphqlHTTP({
schema: schema,
graphiql: process.env.NODE_ENV !== 'production' // Disable in production
}));For Apollo Server:const server = new ApolloServer({
typeDefs,
resolvers,
introspection: process.env.NODE_ENV !== 'production',
playground: process.env.NODE_ENV !== 'production'
});Additionally, consider disabling GraphQL introspection queries in production to prevent schema enumeration, and implement proper authentication and authorization checks at the resolver level rather than relying solely on application-layer controls.