GraphQL Operations Vocabulary
5 exercises — master the operational vocabulary of running GraphQL in production: introspection security, query depth limiting, persisted queries, schema drift, and breaking change detection.
0 / 5 completed
GraphQL operations vocabulary quick reference
- Introspection — meta-query system for discovering the schema; often disabled in production for security
- Query depth limiting — rejecting queries whose nesting level exceeds a maximum (e.g. 7 levels)
- Query complexity scoring — assigning a cost to each field; rejecting queries that exceed a total cost budget
- Persisted queries (trusted documents) — pre-registering approved operations; clients send only the hash
- Schema drift — divergence between the documented/registered schema and the live running schema
- Breaking change detection — CI check that flags schema changes that would break existing client operations
- Field deprecation — marking a field @deprecated before removal (safe migration path)
- Field usage analytics — tracking which fields are used to safely time deprecated field removal
1 / 5
A GraphQL API has been running in production for 18 months. A new developer unfamiliar with GraphQL asks: "What is GraphQL introspection, and why do some production teams disable it?"
Introspection is GraphQL's self-describing capability — and its primary security exposure in production.
What introspection enables:
• Any client can run
• Tools like GraphiQL, Apollo Explorer, and Postman use introspection to provide autocomplete and documentation
• Schema discovery is instantaneous — attackers can fully enumerate an API in seconds
Why it's a security concern:
• Enumeration attack — an attacker uses introspection to discover undocumented or internal fields before crafting queries
• Attack surface revelation — exposes field names that hint at business logic (e.g.
• Even deprecated fields remain discoverable
Production security patterns:
• Disable introspection entirely in production, keep it in staging only
• Use allow-listing (persisted queries) so only pre-approved operations can run
• Use depth limiting to prevent introspection combined with deeply nested queries
Key vocabulary:
• Introspection query — a meta-query starting with
• Enumeration attack — systematically mapping an API's surface to find exploitable endpoints
• Schema exposure — the risk that the schema reveals sensitive business logic or implementation details
What introspection enables:
• Any client can run
{ __schema { types { name } } } to get a complete map of the entire API• Tools like GraphiQL, Apollo Explorer, and Postman use introspection to provide autocomplete and documentation
• Schema discovery is instantaneous — attackers can fully enumerate an API in seconds
Why it's a security concern:
• Enumeration attack — an attacker uses introspection to discover undocumented or internal fields before crafting queries
• Attack surface revelation — exposes field names that hint at business logic (e.g.
adminFlag, internalUserId)• Even deprecated fields remain discoverable
Production security patterns:
• Disable introspection entirely in production, keep it in staging only
• Use allow-listing (persisted queries) so only pre-approved operations can run
• Use depth limiting to prevent introspection combined with deeply nested queries
Key vocabulary:
• Introspection query — a meta-query starting with
__schema or __type• Enumeration attack — systematically mapping an API's surface to find exploitable endpoints
• Schema exposure — the risk that the schema reveals sensitive business logic or implementation details