About graphiql-spring-boot-starter: why only in dev, not production?

[tedepstein]

@vladimir-dejanovic, thanks for this excellent talk. It's exactly what I needed.

In the talk, you emphasized that the graphiql-spring-boot-starter dependency should only be used in development, "never in production." I'm wondering if you can clarify the reasoning.

I understand that this dependency enables the GraphiQL documentation and testing sandbox in the running service. In fact, we do plan to make that available to client developers. And while we could enable it only in our dev and/or QA environments, it might be a little less convenient if they cannot do it with the production instance.

I can think of a few possible reasons not to provide GraphiQL in production. Most obvious is that GraphiQL allows anyone to submit arbitrary queries or mutations, which exposes the system to data integrity issues and arbitrary processing load from complex queries.

Is that why you said it should only be used in development?