Here’s some nuance: for private APIs that are accessible through a browser (where a token can potentially be used) blocking introspection in production is simple and effective enough to avoid leaking hidden features
Used for securing public APIs, less so 
-
-
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Schema can leak product launches if you feature flag code but not schema
-
Right I'm talking about *schema* visibility, not just "This field exists but you cannot access it!" (Ex: https://graphql-ruby.org/authorization/visibility.html …) That's an important distinction for sure though
Kraj razgovora
Novi razgovor -
-
-
I often view turning it off as the easiest visibility filter. Same goals, just simpler to implement.
- Kraj razgovora
Novi razgovor -
-
-
I had the same question standing up GraphQL at Starbucks. Smaller attack surface was all the justification we could muster to lock it down.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
keeping it public is also good for enforcing responsibility
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
We disable introspection in production. Plus we use relay, and doc_id's. so none of our schema is ever in production bundles or, in query requests.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Following
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
IMHO the security risk is worth it. If people find a good use to your API (integration to third parties?) that is not currently well done by your product it's a big business opportunity. I think that if hackers wants to break into your website, that would barely slow them down.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
APIs 