From 52eaec11d2fc0ea62f0b177abc8f70831679eba7 Mon Sep 17 00:00:00 2001
From: Tim Haerkens <timhaerkens@gmail.com>
Date: Tue, 10 Feb 2026 14:11:02 +0100
Subject: [PATCH 1/8] Add native support for disabling GraphQL introspection

---
 config/graphql.php              | 15 +++++++++++++++
 src/GraphQL/ServiceProvider.php |  6 ++++++
 2 files changed, 21 insertions(+)

diff --git a/config/graphql.php b/config/graphql.php
index 02f8258ce3..a7ef84b0fb 100644
--- a/config/graphql.php
+++ b/config/graphql.php
@@ -88,4 +88,19 @@
         'expiry' => 60,
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Security
+    |--------------------------------------------------------------------------
+    |
+    | Here you may configure security settings for your GraphQL API.
+    | Disabling introspection is recommended in production to prevent
+    | exposing the full schema to potential attackers.
+    |
+    */
+
+    'security' => [
+        'disable_introspection' => env('STATAMIC_GRAPHQL_INTROSPECTION_DISABLED', false),
+    ],
+
 ];
diff --git a/src/GraphQL/ServiceProvider.php b/src/GraphQL/ServiceProvider.php
index 0f95eab265..8661dda6fa 100644
--- a/src/GraphQL/ServiceProvider.php
+++ b/src/GraphQL/ServiceProvider.php
@@ -32,6 +32,7 @@ public function register()
 
             $this->disableGraphiql();
             $this->setDefaultSchema();
+            $this->configureIntrospection();
         });
     }
 
@@ -71,4 +72,9 @@ private function setDefaultSchema()
     {
         config(['graphql.schemas.default' => DefaultSchema::class]);
     }
+
+    private function configureIntrospection()
+    {
+        config(['graphql.security.disable_introspection' => config('statamic.graphql.security.disable_introspection')]);
+    }
 }

From 3dcf2d69e275abdab93c74c832507995c71f497d Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Tue, 10 Feb 2026 12:11:43 -0500
Subject: [PATCH 2/8] avoid negative config, add auto behavior

---
 config/graphql.php              | 12 +++++-------
 src/GraphQL/ServiceProvider.php |  6 +++++-
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/config/graphql.php b/config/graphql.php
index a7ef84b0fb..e2b46d2b41 100644
--- a/config/graphql.php
+++ b/config/graphql.php
@@ -90,17 +90,15 @@
 
     /*
     |--------------------------------------------------------------------------
-    | Security
+    | Introspection
     |--------------------------------------------------------------------------
     |
-    | Here you may configure security settings for your GraphQL API.
-    | Disabling introspection is recommended in production to prevent
-    | exposing the full schema to potential attackers.
+    | Introspection queries allow a user to see the schema and will power
+    | development tools. This is "auto" by default, which will enable
+    | it locally and keep it disabled everywhere else for security.
     |
     */
 
-    'security' => [
-        'disable_introspection' => env('STATAMIC_GRAPHQL_INTROSPECTION_DISABLED', false),
-    ],
+    'introspection' => env('STATAMIC_GRAPHQL_INTROSPECTION_ENABLED', 'auto'),
 
 ];
diff --git a/src/GraphQL/ServiceProvider.php b/src/GraphQL/ServiceProvider.php
index 8661dda6fa..f76aa24538 100644
--- a/src/GraphQL/ServiceProvider.php
+++ b/src/GraphQL/ServiceProvider.php
@@ -75,6 +75,10 @@ private function setDefaultSchema()
 
     private function configureIntrospection()
     {
-        config(['graphql.security.disable_introspection' => config('statamic.graphql.security.disable_introspection')]);
+        $config = config('statamic.graphql.introspection', 'auto');
+
+        $value = $config === 'auto' ? app()->isLocal() : (bool) $config;
+
+        config(['graphql.security.disable_introspection' => ! $value]);
     }
 }

From b956839ab3cc3d48673b133f75446f4b25c2894e Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Tue, 10 Feb 2026 13:18:44 -0500
Subject: [PATCH 3/8] move to manager

---
 src/Facades/GraphQL.php         | 1 +
 src/GraphQL/Manager.php         | 7 +++++++
 src/GraphQL/ServiceProvider.php | 7 ++-----
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/Facades/GraphQL.php b/src/Facades/GraphQL.php
index c06d1ec22a..bd3e411a5a 100644
--- a/src/Facades/GraphQL.php
+++ b/src/Facades/GraphQL.php
@@ -22,6 +22,7 @@
  * @method static array getExtraQueries()
  * @method static void addMiddleware($middleware)
  * @method static array getExtraMiddleware()
+ * @method static bool introspectionEnabled()
  *
  * @see \Statamic\GraphQL\Manager
  */
diff --git a/src/GraphQL/Manager.php b/src/GraphQL/Manager.php
index 7ad2a6d6f4..63441b81b8 100644
--- a/src/GraphQL/Manager.php
+++ b/src/GraphQL/Manager.php
@@ -95,4 +95,11 @@ public function getExtraMiddleware()
     {
         return $this->middleware;
     }
+
+    public function introspectionEnabled(): bool
+    {
+        $config = config('statamic.graphql.introspection', 'auto');
+
+        return $config === 'auto' ? app()->isLocal() : (bool) $config;
+    }
 }
diff --git a/src/GraphQL/ServiceProvider.php b/src/GraphQL/ServiceProvider.php
index f76aa24538..aa26d012dd 100644
--- a/src/GraphQL/ServiceProvider.php
+++ b/src/GraphQL/ServiceProvider.php
@@ -6,6 +6,7 @@
 use Illuminate\Support\ServiceProvider as LaravelProvider;
 use Rebing\GraphQL\GraphQLController;
 use Statamic\Contracts\GraphQL\ResponseCache;
+use Statamic\Facades\GraphQL;
 use Statamic\GraphQL\ResponseCache\DefaultCache;
 use Statamic\GraphQL\ResponseCache\NullCache;
 use Statamic\Http\Middleware\HandleToken;
@@ -75,10 +76,6 @@ private function setDefaultSchema()
 
     private function configureIntrospection()
     {
-        $config = config('statamic.graphql.introspection', 'auto');
-
-        $value = $config === 'auto' ? app()->isLocal() : (bool) $config;
-
-        config(['graphql.security.disable_introspection' => ! $value]);
+        config(['graphql.security.disable_introspection' => ! GraphQL::introspectionEnabled()]);
     }
 }

From 5ff058b314974bde557f13c44693697efd15779e Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Tue, 10 Feb 2026 13:22:08 -0500
Subject: [PATCH 4/8] upgrade graphiql

---
 resources/views/graphql/graphiql.blade.php | 46 ++++++++--------------
 1 file changed, 17 insertions(+), 29 deletions(-)

diff --git a/resources/views/graphql/graphiql.blade.php b/resources/views/graphql/graphiql.blade.php
index bbfe8b5abb..5cc5720c5e 100644
--- a/resources/views/graphql/graphiql.blade.php
+++ b/resources/views/graphql/graphiql.blade.php
@@ -7,7 +7,6 @@
         <style>
             body {
                 margin: 0;
-                overflow: hidden; /* in Firefox */
             }
 
             #graphiql {
@@ -24,63 +23,52 @@
         </style>
         <link
             rel="stylesheet"
-            href="https://esm.sh/graphiql@4.0.0/dist/style.css"
+            href="https://esm.sh/graphiql/dist/style.css"
         >
         <link
             rel="stylesheet"
-            href="https://esm.sh/@graphiql/plugin-explorer@4.0.0/dist/style.css"
+            href="https://esm.sh/@graphiql/plugin-explorer/dist/style.css"
         >
-        <!-- Note: the ?standalone flag bundles the module along with all of its `dependencies`, excluding `peerDependencies`, into a single JavaScript file. -->
+
         <script type="importmap">
             {
               "imports": {
                 "react": "https://esm.sh/react@19.1.0",
-                "react/jsx-runtime": "https://esm.sh/react@19.1.0/jsx-runtime",
+                "react/": "https://esm.sh/react@19.1.0/",
 
                 "react-dom": "https://esm.sh/react-dom@19.1.0",
-                "react-dom/client": "https://esm.sh/react-dom@19.1.0/client",
+                "react-dom/": "https://esm.sh/react-dom@19.1.0/",
 
-                "graphiql": "https://esm.sh/graphiql@4.0.0?standalone&external=react,react/jsx-runtime,react-dom,@graphiql/react",
-                "@graphiql/plugin-explorer": "https://esm.sh/@graphiql/plugin-explorer@4.0.0?standalone&external=react,react/jsx-runtime,react-dom,@graphiql/react,graphql",
-                "@graphiql/react": "https://esm.sh/@graphiql/react@0.30.0?standalone&external=react,react/jsx-runtime,react-dom,graphql,@graphiql/toolkit",
+                "graphiql": "https://esm.sh/graphiql?standalone&external=react,react-dom,@graphiql/react,graphql",
+                "graphiql/": "https://esm.sh/graphiql/",
+                "@graphiql/plugin-explorer": "https://esm.sh/@graphiql/plugin-explorer?standalone&external=react,@graphiql/react,graphql",
+                "@graphiql/react": "https://esm.sh/@graphiql/react?standalone&external=react,react-dom,graphql,@graphiql/toolkit,@emotion/is-prop-valid",
 
-                "@graphiql/toolkit": "https://esm.sh/@graphiql/toolkit@0.11.2?standalone&external=graphql",
-                "graphql": "https://esm.sh/graphql@16.11.0"
+                "@graphiql/toolkit": "https://esm.sh/@graphiql/toolkit?standalone&external=graphql",
+                "graphql": "https://esm.sh/graphql@16.11.0",
+                "@emotion/is-prop-valid": "data:text/javascript,"
               }
             }
         </script>
         <script type="module">
-            // Import React and ReactDOM
             import React from 'react';
             import ReactDOM from 'react-dom/client';
-            // Import GraphiQL and the Explorer plugin
-            import { GraphiQL } from 'graphiql';
+            import { GraphiQL, HISTORY_PLUGIN } from 'graphiql';
             import { createGraphiQLFetcher } from '@graphiql/toolkit';
             import { explorerPlugin } from '@graphiql/plugin-explorer';
-
-            var xcsrfToken = null;
+            import 'graphiql/setup-workers/esm.sh';
 
             const fetcher = createGraphiQLFetcher({
                 url: '{{ $url }}',
-                headers: {
-                    Accept: 'application/json',
-                    'Content-Type': 'application/json',
-                    'x-csrf-token': xcsrfToken || '{{ csrf_token() }}',
-                },
-                fetch: async (fetchURL, fetchOptions) => {
-                    return await fetch(fetchURL, fetchOptions).then((response) => {
-                        xcsrfToken = response.headers.get('x-csrf-token');
-                        return response;
-                    });
-                },
             });
 
-            const explorer = explorerPlugin();
+            let plugins = [HISTORY_PLUGIN, explorerPlugin()];
 
             function App() {
                 return React.createElement(GraphiQL, {
                     fetcher,
-                    plugins: [explorer],
+                    plugins,
+                    defaultEditorToolsVisibility: true,
                 });
             }
 

From f60ca4655cf1c32f11df57c9b004e449d9b3901f Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Tue, 10 Feb 2026 13:25:04 -0500
Subject: [PATCH 5/8] disable things when introspection is disabled ...

- explorer plugin is conditionally pushed to array
- reference plugin is disabled via prop
- use a null schema which prevents the initial fetch request
---
 resources/views/graphql/graphiql.blade.php    | 13 ++++++++++++-
 src/Http/Controllers/CP/GraphQLController.php |  2 ++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/resources/views/graphql/graphiql.blade.php b/resources/views/graphql/graphiql.blade.php
index 5cc5720c5e..cff8df91d9 100644
--- a/resources/views/graphql/graphiql.blade.php
+++ b/resources/views/graphql/graphiql.blade.php
@@ -30,6 +30,12 @@
             href="https://esm.sh/@graphiql/plugin-explorer/dist/style.css"
         >
 
+        @if (!$introspection)
+        <style>
+            button[aria-label*="Re-fetch GraphQL schema"] { visibility: hidden; }
+        </style>
+        @endif
+
         <script type="importmap">
             {
               "imports": {
@@ -58,17 +64,22 @@
             import { explorerPlugin } from '@graphiql/plugin-explorer';
             import 'graphiql/setup-workers/esm.sh';
 
+            const introspectionEnabled = {{ \Statamic\Support\Str::bool($introspection) }};
+
             const fetcher = createGraphiQLFetcher({
                 url: '{{ $url }}',
             });
 
-            let plugins = [HISTORY_PLUGIN, explorerPlugin()];
+            let plugins = [HISTORY_PLUGIN];
+            if (introspectionEnabled) plugins.push(explorerPlugin());
 
             function App() {
                 return React.createElement(GraphiQL, {
                     fetcher,
                     plugins,
                     defaultEditorToolsVisibility: true,
+                    referencePlugin: introspectionEnabled ? undefined : null,
+                    schema: introspectionEnabled ? undefined : null,
                 });
             }
 
diff --git a/src/Http/Controllers/CP/GraphQLController.php b/src/Http/Controllers/CP/GraphQLController.php
index aad55bc3e2..327aaac2f7 100644
--- a/src/Http/Controllers/CP/GraphQLController.php
+++ b/src/Http/Controllers/CP/GraphQLController.php
@@ -2,6 +2,7 @@
 
 namespace Statamic\Http\Controllers\CP;
 
+use Statamic\Facades\GraphQL;
 use Statamic\Http\Middleware\RequireStatamicPro;
 
 class GraphQLController extends CpController
@@ -22,6 +23,7 @@ public function graphiql()
 
         return view('statamic::graphql.graphiql', [
             'url' => '/'.config('graphql.route.prefix'),
+            'introspection' => GraphQL::introspectionEnabled(),
         ]);
     }
 }

From dc0b3a331209733ef616f003eae9b963270e8426 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Tue, 10 Feb 2026 15:47:17 -0500
Subject: [PATCH 6/8] disabling the package will override ours.

---
 src/GraphQL/Manager.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/GraphQL/Manager.php b/src/GraphQL/Manager.php
index 63441b81b8..25e74de07e 100644
--- a/src/GraphQL/Manager.php
+++ b/src/GraphQL/Manager.php
@@ -98,6 +98,10 @@ public function getExtraMiddleware()
 
     public function introspectionEnabled(): bool
     {
+        if (config('graphql.security.disable_introspection')) {
+            return false;
+        }
+
         $config = config('statamic.graphql.introspection', 'auto');
 
         return $config === 'auto' ? app()->isLocal() : (bool) $config;

From 1d6b9d864854c653b8aeffadc42478a358c0df19 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Tue, 10 Feb 2026 15:47:32 -0500
Subject: [PATCH 7/8] test

---
 tests/GraphQL/ManagerTest.php | 50 +++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 tests/GraphQL/ManagerTest.php

diff --git a/tests/GraphQL/ManagerTest.php b/tests/GraphQL/ManagerTest.php
new file mode 100644
index 0000000000..256ba399e2
--- /dev/null
+++ b/tests/GraphQL/ManagerTest.php
@@ -0,0 +1,50 @@
+<?php
+
+namespace Tests\GraphQL;
+
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\Attributes\Group;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\GraphQL;
+use Tests\TestCase;
+
+#[Group('graphql')]
+class ManagerTest extends TestCase
+{
+    #[Test]
+    #[DataProvider('introspectionProvider')]
+    public function it_gets_introspection_enabled_state($packageEnabled, $statamicConfig, $environment, $expected)
+    {
+        config(['graphql.security.disable_introspection' => is_null($packageEnabled) ? null : ! $packageEnabled]);
+        config(['statamic.graphql.introspection' => $statamicConfig]);
+        $this->app['env'] = $environment;
+
+        $this->assertEquals($expected, GraphQL::introspectionEnabled());
+    }
+
+    public static function introspectionProvider()
+    {
+        return [
+            'pkg null, statamic null, local' => [null, null, 'local', true],
+            'pkg null, statamic null, prod' => [null, null, 'prod', false],
+
+            'pkg enabled, statamic null, local' => [true, null, 'local', true],
+            'pkg enabled, statamic null, prod' => [true, null, 'prod', false],
+            'pkg enabled, statamic auto, local' => [true, 'auto', 'local', true],
+            'pkg enabled, statamic auto, prod' => [true, 'auto', 'prod', false],
+            'pkg enabled, statamic enabled, local' => [true, true, 'local', true],
+            'pkg enabled, statamic enabled, prod' => [true, true, 'prod', true],
+            'pkg enabled, statamic disabled, local' => [true, false, 'local', false],
+            'pkg enabled, statamic disabled, prod' => [true, false, 'prod', false],
+
+            'pkg disabled, statamic null, local' => [false, null, 'local', false],
+            'pkg disabled, statamic null, prod' => [false, null, 'prod', false],
+            'pkg disabled, statamic auto, local' => [false, 'auto', 'local', false],
+            'pkg disabled, statamic auto, prod' => [false, 'auto', 'prod', false],
+            'pkg disabled, statamic enabled, local' => [false, true, 'local', false],
+            'pkg disabled, statamic enabled, prod' => [false, true, 'prod', false],
+            'pkg disabled, statamic disabled, local' => [false, false, 'local', false],
+            'pkg disabled, statamic disabled, prod' => [false, false, 'prod', false],
+        ];
+    }
+}

From 24a333c3eaeada1af9f9a56c45498adb285f2b17 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Tue, 10 Feb 2026 15:47:50 -0500
Subject: [PATCH 8/8] handle explicit null

---
 src/GraphQL/Manager.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/GraphQL/Manager.php b/src/GraphQL/Manager.php
index 25e74de07e..abf10241db 100644
--- a/src/GraphQL/Manager.php
+++ b/src/GraphQL/Manager.php
@@ -102,7 +102,7 @@ public function introspectionEnabled(): bool
             return false;
         }
 
-        $config = config('statamic.graphql.introspection', 'auto');
+        $config = config('statamic.graphql.introspection') ?? 'auto';
 
         return $config === 'auto' ? app()->isLocal() : (bool) $config;
     }