docs(graphql): disable the introspection query (#1792)

epourail · web-flow · commit a96e94f56274 · 2023-08-08T15:43:53.000+02:00
diff --git a/core/configuration.md b/core/configuration.md
@@ -147,6 +147,10 @@ api_platform:
             # Enabled by default with installed webonyx/graphql-php and Twig.
             enabled: false
 
+        introspection:
+            # Enabled by default with installed webonyx/graphql-php.
+            enabled: true
+
         # The nesting separator used in the filter names.
         nesting_separator: _
 
diff --git a/core/graphql.md b/core/graphql.md
@@ -116,6 +116,20 @@ api_platform:
 # ...
 ```
 
+## Disabling the Introspection Query
+
+For security reason, the introspection query should be disabled to not expose the GraphQL schema.
+
+If you need to disable it, it can be done in the configuration:
+
+```yaml
+# api/config/packages/api_platform.yaml
+api_platform:
+    graphql:
+        introspection: false
+# ...
+```
+
 ## Request with `application/graphql` Content-Type
 
 If you wish to send a [POST request using the `application/graphql` Content-Type](https://graphql.org/learn/serving-over-http/#post-request),
