Fix Security Misconfiguration in RedwoodJS

RedwoodJS is built for speed, but its default GraphQL and CORS configurations can be a goldmine for attackers. Misconfiguring the GraphQL handler or exposing sensitive environment variables through the 'REDWOOD_ENV_' prefix allows for schema mapping and credential leakage. In this guide, we harden the API layer by disabling introspection in production and enforcing strict origin checks.

The Vulnerable Pattern

// api/src/functions/graphql.js
export const handler = createGraphQLHandler({
  loggerConfig: { logger, options: {} },
  directives,
  sdls,
  resolvers,
  // VULNERABILITY: Permissive CORS and default introspection
  cors: {
    origin: '*',
    credentials: true,
  }
})

The Secure Implementation

The vulnerable configuration uses a wildcard '*' for CORS, allowing any malicious domain to interact with the API. Furthermore, by not explicitly setting 'introspection' to false, an attacker can use tools like Apollo Studio or Altair to dump the entire SDL, revealing internal data structures and hidden administrative mutations. The secure code restricts the origin to a trusted environment variable and toggles introspection based on the NODE_ENV. Additionally, ensure that sensitive keys are stored in '.env' without the 'REDWOOD_ENV_' prefix to prevent them from being bundled into the public-facing side/web distribution.

// api/src/functions/graphql.js
import { createGraphQLHandler } from '@redwoodjs/graphql-server'
export const handler = createGraphQLHandler({
loggerConfig: { logger, options: {} },
directives,
sdls,
resolvers,
// FIX: Disable introspection in production to prevent schema discovery
introspection: process.env.NODE_ENV !== ‘production’,
// FIX: Enforce strict CORS policy
cors: {
origin: process.env.ALLOWED_ORIGIN || ‘https://your-production-domain.com’,
credentials: true,
methods: ‘POST,OPTIONS’,
},
// FIX: Implement Query Depth Limit to prevent DoS
validationRules: [
/* Add depth limit rules here */
]
})