Goes along with statamic/cms#13880
Statamic uses rebing/graphql-laravel under the hood, which supports disabling introspection via graphql.security.disable_introspection. However, Statamic's config/statamic/graphql.php does not expose this setting.
Currently, users must either call config() manually in their AppServiceProvider or publish the full config/graphql.php from the rebing package (which breaks Statamic's auto-configuration of the GraphQL schema). Neither is ideal, and introspection enabled in production is a known security concern.
Proposed solution: Add a security.disable_introspection option to config/statamic/graphql.php, controllable via a STATAMIC_GRAPHQL_INTROSPECTION_DISABLED env variable, and forward it to the rebing config in the existing ServiceProvider boot logic.
Goes along with statamic/cms#13880
Statamic uses
rebing/graphql-laravelunder the hood, which supports disabling introspection viagraphql.security.disable_introspection. However, Statamic'sconfig/statamic/graphql.phpdoes not expose this setting.Currently, users must either call
config()manually in theirAppServiceProvideror publish the fullconfig/graphql.phpfrom the rebing package (which breaks Statamic's auto-configuration of the GraphQL schema). Neither is ideal, and introspection enabled in production is a known security concern.Proposed solution: Add a
security.disable_introspectionoption toconfig/statamic/graphql.php, controllable via aSTATAMIC_GRAPHQL_INTROSPECTION_DISABLEDenv variable, and forward it to the rebing config in the existingServiceProviderboot logic.