Skip to main content

Disabling Introspection

Turning off introspection support in production is generally considered a best practice since it is an additional security measure to make a hacker's job harder.

To turn off introspection support, set the EXO_INTROSPECTION environment variable to false (the default value in production). So, all you need to do is ensure that this environment variable isn't set to true in production.

Keep in mind that while turning off introspection in production is a good idea, it offers only limited help in securing your application. At best, this security-by-obscurity measure makes playing with your APIs to explore vulnerabilities harder. At worst, it gives a false sense of security. Since it is still possible to predict the APIs (for example, by simply looking at the network traffic from a browser's "Inspect" tab), ensuring the correctness of your access control expressions and taking other security measures is still critical.

You can couple this with limiting queries and mutations as we will see next.