Deployment

Before deploying your GraphQL app to production you should disable GraphiQL and Introspection .

Why are they a problem?

1. They can reveal sensitive information (e.g. internal business logic)

2. They make it easier for malicious parties to reverse engineer your GraphQL API

See more on this topic

How to disable them

GraphiQL

GraphiQL is useful during testing and development but should be disabled in production by default.

It can be turned off by setting the graphql_ide option to None

See the Strawberry Options documentation for the integration you are using for more information on how to disable it:

• AIOHTTP
• ASGI
• Django
• FastAPI
• Flask
• Quart
• Sanic
• Chalice
• Starlette

Introspection

Introspection should primarily be used as a discovery and diagnostic tool for testing and development, and should be disabled in production by default.

You can disable introspection by adding a validation rule extension .

Security extensions

Strawberry provides some security extensions to limit various aspects of the GraphQL document. These are recommended in production.

• query depth
• max number of aliases
• max number of tokens

More resources

See the documentation for the integration you are using for more information on deployment:

• AIOHTTP
• Django
• FastAPI
• Flask
• Sanic
• Chalice

The docs for ASGI and Starlette do not provide an official deployment guide, but you may find the documentation for other frameworks that use ASGI servers useful (e.g. FastAPI )