|
2 | 2 |
|
3 | 3 | <p className="learn-subtitle">Learn how to query information about a GraphQL schema</p> |
4 | 4 |
|
5 | | -It's often useful to ask a GraphQL schema for information about what operations it supports. GraphQL allows us to do so using the [introspection system](https://spec.graphql.org/draft/#sec-Introspection). |
| 5 | +It's often useful to ask a GraphQL schema for information about what features it supports. GraphQL allows us to do so using the [introspection system](https://spec.graphql.org/draft/#sec-Introspection). |
6 | 6 |
|
7 | 7 | Introspection queries are special kinds of queries that allow you to learn about a GraphQL API's schema, and they also help power GraphQL development tools. On this page, we'll learn how to run different queries to learn more about an underlying schema's types, fields, and descriptions. |
8 | 8 |
|
@@ -160,20 +160,20 @@ As demonstrated above, we can access the documentation about the type system usi |
160 | 160 |
|
161 | 161 | This has just scratched the surface of the introspection system; we can query for Enum type values, what Interface types another type implements, and more. We can even introspect on the introspection system itself. |
162 | 162 |
|
163 | | -To see an example of a specification-compliant GraphQL query introspection system implemented in code, you can view the [introspection.ts](https://github.com/graphql/graphql-js/blob/main/src/type/introspection.ts) file in GraphQL.js repository. |
| 163 | +To see an example of a specification-compliant GraphQL query introspection system implemented in code, you can view [src/type/introspection.ts](https://github.com/graphql/graphql-js/blob/e9b6b626f6f6aa379bb8f8c48df40d0c02a26082/src/type/introspection.ts) in the reference implementation. |
164 | 164 |
|
165 | 165 | ## Introspection in production |
166 | 166 |
|
167 | | -Introspection is a useful feature of GraphQL, especially for client developers. However, for private GraphQL APIs, it may be undesirable to expose sensitive information about the schema publicly via the `__schema` field in a production environment. |
| 167 | +Introspection is a useful feature of GraphQL, especially for client developers and tooling. However, for APIs intended only for your own applications, it’s typically not needed in production—required operations are usually baked into these applications at build time, making runtime introspection unnecessary. |
168 | 168 |
|
169 | | -In those cases, it may be preferable to disable introspection in production environments as a part of a broader API security strategy that could also include authentication and authorization, depth-limiting, query cost analysis, and more. |
| 169 | +Disabling introspection in production is common in order to reduce the API’s attack surface. This is often part of a broader API security strategy, which may also include authentication and authorization, operation safe-listing (or a range of alternative protections, such as depth-limiting, breadth-limiting, alias limits, cycle rejection, cost analysis, etc.), execution timeouts, and more. |
170 | 170 |
|
171 | 171 | ## Next steps |
172 | 172 |
|
173 | 173 | To recap what we've learned about introspection: |
174 | 174 |
|
175 | 175 | - Type names can be queried in a field selection set for an Object, Interface, or Union type using the `__typename` meta-field |
176 | 176 | - Information about the elements of a GraphQL schema can be queried using the `__schema` field on the `query` root operation type |
177 | | -- Introspection is often disabled in production environments for private APIs |
| 177 | +- Introspection is often disabled in production environments |
178 | 178 |
|
179 | 179 | Now that you've explored the GraphQL type system, how to query data from an API, and what the lifecycle of a request looks like, head over to the [Best Practices](/learn/best-practices/) section to learn more about running GraphQL in production. |
0 commit comments