HIGH graphql introspectionadonisjsmutual tls

Graphql Introspection in Adonisjs with Mutual Tls

Scan for graphql introspection in adonisjs

Graphql Introspection in Adonisjs with Mutual Tls — how this specific combination creates or exposes the vulnerability

GraphQL introspection in an AdonisJS application reveals the full schema, queries, and mutations, which is valuable for developers but also for an attacker. When mutual TLS (mTLS) is used, the server validates the client certificate, but introspection is often left enabled in development or misconfigured in production. This combination creates a scenario where access is gated by mTLS, yet the exposed schema still allows information disclosure.

In AdonisJS, the GraphQL server is typically set up using packages such as @adonisjs/fold and a community GraphQL provider. Introspection is commonly enabled by default in development environments. If introspection is unintentionally exposed over an endpoint protected only by mTLS, an authenticated client with a valid certificate can run introspection queries to map the API surface. Attackers that compromise or steal a client certificate can leverage introspection to discover sensitive types, relationships, and query patterns, which can aid in crafting further attacks such as injection or IDOR.

mTLS ensures that only clients with a trusted certificate can reach the endpoint, but it does not reduce the attack surface of the GraphQL schema itself. If the endpoint lacks additional authorization checks around introspection, the combination of mTLS and open introspection can lead to unnecessary information exposure. This is particularly risky when the GraphQL endpoint also supports unauthenticated or weakly authenticated queries, as introspection may bypass intended access controls that rely solely on HTTP-level mTLS.

Real-world patterns show that introspection responses can include type definitions that reference internal models or business logic, effectively acting as an unauthentated enumeration mechanism for authenticated clients. For example, an introspection query can reveal queries like user(id: ID!): User or fields that should be restricted. Even with mTLS, an attacker with a valid certificate can automate introspection to map the API and identify endpoints for further exploitation, such as probing for BOLA or property authorization issues.

To assess this risk, scanners run parallel security checks including Authentication, Authorization, and Input Validation, while also testing for unauthenticated LLM endpoints and system prompt leakage. For GraphQL endpoints, introspection is treated as a potential information disclosure finding when it is accessible without proper authorization controls. The scanner evaluates whether the endpoint exposes schema details and maps findings to frameworks such as OWASP API Top 10 and PCI-DSS.

Mutual Tls-Specific Remediation in Adonisjs — concrete code fixes

To secure GraphQL introspection in AdonisJS with mutual TLS, you should disable introspection in production and enforce strict mTLS policies. Below are concrete code examples and configuration steps.

1. Configure the GraphQL server to disable introspection in production

When initializing the GraphQL provider, set introspection to false in production environments. In AdonisJS, this is typically done in the provider setup or configuration file.

// start/app.ts or a dedicated GraphQL provider file
import { Application } from '@adonisjs/core/types'
import { graphql } from '@adonisjs/graphql'

export default class AppProvider {
  constructor(protected app: Application) {}

  public register() {
    this.app.container.singleton('graphql', () => {
      return graphql({
        introspection: this.app.environment === 'development', // disable in production
        typeDefs: () => import('App/Graphql/types'),
        resolvers: () => import('App/Graphql/resolvers'),
      })
    })
  }
}

2. Enforce mutual TLS at the server or proxy layer

Mutual TLS is commonly enforced at the HTTP server or reverse proxy (e.g., Nginx, Caddy, or a cloud load balancer). Below is an example Nginx configuration that requires client certificates and passes only validated requests to the AdonisJS server.

# nginx.conf or site configuration
server {
  listen 443 ssl;
  server_name api.example.com;

  ssl_certificate           /etc/ssl/certs/server.crt;
  ssl_certificate_key       /etc/ssl/private/server.key;
  ssl_client_certificate    /etc/ssl/certs/ca-bundle.crt;
  ssl_verify_client         on;

  location /graphql {
    proxy_pass http://127.0.0.1:3333;
    proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
    proxy_set_header X-SSL-VERIFY $ssl_client_verify;
  }
}

In this setup, ssl_verify_client on ensures that only clients with a trusted certificate can reach the endpoint. The AdonisJS app can optionally read X-SSL-CERT or X-SSL-VERIFY headers for additional logging or authorization, but the gatekeeping is done at the proxy layer.

3. Add route-level authorization for introspection

Even with mTLS, you can add an explicit check in your GraphQL route or middleware to block introspection for non-trusted contexts. For example, using a custom middleware in AdonisJS:

// start/middleware/introspection_guard.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class IntrospectionGuard {
  public async handle({ request, response, next }: HttpContextContract) {
    const isGraphqlRequest = request.url().startsWith('/graphql')
    const isIntrospection = request.input('query', '').includes('__schema')

    if (isGraphqlRequest && isIntrospection) {
      // Optionally allow only specific authenticated roles or IPs
      const clientCert = request.header('x-ssl-cert')
      if (!this.isAllowedCertificate(clientCert)) {
        return response.forbidden({ error: 'Introspection not allowed' })
      }
    }
    await next()
  }

  private isAllowedCertificate(cert?: string): boolean {
    // Implement logic to validate certificate fingerprints or subjects
    return !!cert && cert.includes('trusted-fingerprint')
  }
}

Register this middleware in your route or global middleware stack to block unauthorized introspection attempts. This complements mTLS by adding an application-layer check.

4. Use environment-based feature flags

Control introspection via environment variables so that you can toggle it without redeploying. This is useful for temporary debugging in production while keeping the default secure.

// .env
GRAPHQL_INTROSPECTION=true # set to false in production

// config/graphql.ts
import { Env } from '@ioc:Adonis/Core/Env'

export default {
  introspection: Env.get('GRAPHQL_INTROSPECTION', 'false') === 'true',
}

Related CWEs: dataExposure

CWE IDNameSeverity
CWE-200Exposure of Sensitive Information HIGH
CWE-209Error Information Disclosure MEDIUM
CWE-213Exposure of Sensitive Information Due to Incompatible Policies HIGH
CWE-215Insertion of Sensitive Information Into Debugging Code MEDIUM
CWE-312Cleartext Storage of Sensitive Information HIGH
CWE-359Exposure of Private Personal Information (PII) HIGH
CWE-522Insufficiently Protected Credentials CRITICAL
CWE-532Insertion of Sensitive Information into Log File MEDIUM
CWE-538Insertion of Sensitive Information into Externally-Accessible File HIGH
CWE-540Inclusion of Sensitive Information in Source Code HIGH
Scan for graphql introspection in adonisjs Free API security scan

Frequently Asked Questions

Does mutual TLS alone prevent GraphQL introspection abuse?
No. Mutual TLS ensures only certificate-authenticated clients can reach the endpoint, but it does not restrict what an authenticated client can query. Without explicit controls, authenticated clients can still perform introspection to map the schema. Combine mTLS with disabled introspection or route-level authorization for defense in depth.
Can middleBrick detect GraphQL introspection exposure when mTLS is used?
Yes. middleBrick runs unauthenticated black-box scans and includes Authentication and Authorization checks. It can detect whether introspection is exposed on a GraphQL endpoint, even when mTLS is used, and reports the information disclosure with remediation guidance.

Related Pages

Graphql Introspection in AdonisjsGraphQL introspection vulnerabilities in Adonisjs expose your entire API schema. Learn Adonisjs-specific detection and rGraphql Introspection with Mutual TlsGraphQL introspection vulnerabilities in mTLS environments expose API schemas to authenticated clients. Learn detection Graphql Introspection in Adonisjs on CloudflareGraphQL introspection risks in AdonisJS behind Cloudflare, with remediation code examples and security guidance.Graphql Introspection in Adonisjs on HerokuUnderstand GraphQL introspection risks in AdonisJS on Heroku and apply concrete fixes to disable introspection and enforGraphql Introspection in Adonisjs on AzureLearn how GraphQL introspection in AdonisJS on Azure can expose your API schema and how to remediate it with code and AzGraphql Introspection in Adonisjs on DockerUnderstand GraphQL introspection risks in AdonisJS within Docker and apply Docker-specific fixes using environment-basedIso 27001: Graphql Introspection in AdonisjsLearn how GraphQL introspection in AdonisJS can expose security risks under ISO 27001 and how to remediate with environmHipaa: Graphql Introspection in AdonisjsHIPAA risks in GraphQL introspection with AdonisJS, detection of exposed schema details, field-level authorization exampCis: Graphql Introspection in AdonisjsCIS controls, GraphQL introspection, and AdonisJS remediation — secure schema exposure with code examplesGdpr: Graphql Introspection in AdonisjsGDPR, GraphQL introspection, and AdonisJS: understand exposure risks and apply schema restrictions, authentication, and Graphql Introspection in Adonisjs with DynamodbGraphQL introspection in AdonisJS with DynamoDB exposes schema details; disable introspection in production and enforce Graphql Introspection in Adonisjs with CockroachdbGraphQL introspection risks in AdonisJS with CockroachDB: disable introspection, apply schema guards, use parameterized