GraphQL Introspection Exposure
Description
Probes common GraphQL paths (/graphql, /api/graphql, /gql, /v1/graphql) for enabled introspection. A valid __schema response in production exposes the full API schema — types, mutations, and admin fields — to any unauthenticated caller.
Security Impact
Attackers use introspection to map an entire GraphQL API in seconds, identifying admin-only mutations, deprecated fields with weaker validation, and internal types. Disabling it in production removes a primary reconnaissance tool at zero cost.
Automated Detection & AI Remediation
DygDog automatically detects GraphQL Introspection Exposure using its continuous, passive scanning engine. When discovered, DygDog provides infrastructure-specific, copy-paste ready code snippets generated by frontier AI models to help you remediate the issue instantly without generic advice.
Start Free Scan