[DEV-2711] Disable GraphQL Introspection on Hasura#1821
Conversation
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 926a58d4fd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
Codex Review: Didn't find any major issues. 🚀 ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. 🤖 Generated with Claude Code - If this code review was useful, please react with 👍. Otherwise, react with 👎. |
2 participants
PR Type
Description
DEV-2711 — Disable GraphQL Introspection on Hasura
/v1/graphqlendpoint accepted unauthenticated__schemaintrospection queries, exposing schema metadata to anyonedisabled_for_rolesinhasura/metadata/graphql_schema_introspection.yaml— this is applied automatically at Hasura startup in all environments, including production, with no infra changes neededNOTE: i would have preferred to have explicitly enabling roles instead of explicitly disabling as we do here. from a security standpoint an allowlist is strictly better — new roles are blocked by default rather than open until someone
remembers to add them, but Hasura's metadata config only exposes
disabled_for_roles(a denylist). There's noenabled_for_rolesequivalent.Checklist