[Security] GraphQL schema exposes internal database structure and field names — enables targeted injection attacks

[anshul23102]

Executive Summary

GraphQL schema is introspectable and reveals exact database field names, types, and relationships. Attackers can map the schema to find injection vulnerabilities.

Proposed Solution

@Configuration
public class GraphQLSecurityConfig {
  @Bean
  public GraphQLSchema graphQLSchema() {
    return GraphQLSchema.newSchema()
      .query(buildQueryType())
      .mutation(buildMutationType())
      .introspectionEnabled(false)  // Disable introspection in production
      .build();
  }
}

// In application-prod.yml
graphql:
  introspection-enabled: false
  playground-enabled: false
  validation-rules: STRICT

Checklist

• I have searched existing issues and confirmed this is not a duplicate
• I have read the CONTRIBUTING.md guidelines
• I have provided clear steps to reproduce the issue
• I have described expected vs. actual behavior clearly
• This issue title is clear and specific
• This repository has been verified as NSOC on https://www.nsoc.in/projects

@pooranjoyb Could you please /assign this issue to me? I would like to implement GraphQL introspection protection under NSOC '26.

/assign