ShieldReport
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign InRun Free Scan
Run Scan
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign In
← Back to Wiki

GraphQL Introspection Exposure

medium
CWE-200API Security

What is GraphQL Exposure?

GraphQL APIs with introspection enabled in production expose the entire API schema, including types, fields, queries, and mutations, to anyone who queries the endpoint.

How it works

An attacker sends an introspection query to the /graphql endpoint. The server responds with the complete schema, revealing all available queries, mutations, types, and relationships.

Impact

Full API surface enumeration, discovery of sensitive fields and mutations, identification of internal-only endpoints, and accelerated attack planning.

How ShieldReport detects this

ShieldReport sends introspection queries to common GraphQL endpoints (/graphql, /api/graphql) and analyses the response for schema exposure.

How to fix it

Disable introspection in production. If needed for development, restrict it to authenticated internal users. Use query complexity limits and depth limiting.

Tags

apigraphqlinformation-disclosure

Is your site vulnerable to GraphQL Exposure?

Run a free scan to find out in under 2 minutes.

Scan Now
ShieldReport

Website security scanning and reporting for developers, teams, and agencies.

ShieldReport - Security reports done in minutes which developers understand | Product Hunt

Product

  • Free Security Scan
  • What We Check
  • Pricing
  • Sample Report

Resources

  • Security Blog
  • FAQ
  • Website Security Checklist
  • CSP Guide

Topics

  • Security Headers
  • TLS Configuration
  • OWASP Top 10
  • Vulnerability Scanning

© 2026 ShieldReport. All rights reserved.

Run Free ScanPricingBlogSitemapRSS Feed