Disabling introspection should also disable "Did you mean ...?"

[Sainan]

This is a somewhat well-known workaround to introspection being disabled, especially since a client can just send a bunch of queries in a single go. Those queries could e.g. be sourced from an English dictionary.

Example projects exploiting this:

• https://github.com/nikitastupin/clairvoyance
• https://github.com/y0k4i-1337/clairvoyancex

[glasser]

Duplicate of #3919. There are several workarounds in comments on that issue.

Would love to see progress made in the linked graphql-js issue!

[Sainan]

A workaround like that is useless when not enabled by default. This is a security issue, not a preference issue.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
For general questions, we recommend using StackOverflow or our discord server.