Add an option in security config to disable field name suggestions

[webard]

Hi, I found the tool https://graphql.security/ and one of the points is:

Field suggestion enabled Description If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema. By default, GraphQL backends have a feature for fields and operations suggestions. If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt.

Field suggestions is not a vulnerability, but from an attacker's point of view, this feature can be abused to gain more insight into GraphQL's schema, especially when Introspection is not allowed.

I think the field name suggestion option should be off by default when introspection is off, or there should be a separate setting for this.

[spawnia]

Implementing this is quite an involved change. A quick search for suggestion across the project reveals about a dozen places where information about the schema is leaked through suggestions.

Do you know of any GraphQL servers that make this configurable? It would be valuable to see how they implement it and what choices they made.

I am not fully convinced that we should even make this configurable. I can see the reasoning behind it, but isn't the whole idea of disabling introspection a kind of security through obscurity? Even if suggestions are turned off, the server still leaks information about which fields are available by nature of query validation. Available field names can be brute forced.