feat(graphql): add feature flag and CSP headers for GraphiQL endpoint #15364
+30
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
devops
datahub-cyborg
bot
added
the
needs-review
Adds configuration to disable GraphiQL in air-gapped/production environments and implements Content Security Policy headers to address security scanner findings. Changes: - Add @ConditionalOnProperty to GraphiQLController for enabling/disabling endpoint - Add graphql.graphiql.enabled configuration property (defaults to true for backward compatibility) - Implement CSP headers (script-src, style-src, connect-src, img-src) - Add X-Content-Type-Options and X-Frame-Options security headers - Add spring-boot-autoconfigure dependency and update gradle lockfile Configuration: - Set GRAPHQL_GRAPHIQL_ENABLED=false to disable in air-gapped or production environments - Endpoint returns 404 when disabled Security improvements: - Content-Security-Policy header allows self and unpkg.com sources - X-Content-Type-Options: nosniff prevents MIME-sniffing attacks - X-Frame-Options: DENY prevents clickjacking Resolves air-gapped deployment blockers and satisfies OWASP ZAP security requirements. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
deepgarg760
force-pushed
the
deepgarg/graphiql-feature-flag-csp-headers
branch
from
cb738e6 to
2be6da6
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
deepgarg760
requested review from
david-leifker and
esteban
and removed request for
david-leifker
Collaborator
chriscollins3456
left a comment
chriscollins3456
left a comment
There was a problem hiding this comment.
this makes enough sense, but not sure about the CSP headers
Comment on lines
+45
to
+61
| () -> { | ||
| // Add Content Security Policy headers to allow unpkg.com for external resources | ||
| response.setHeader( | ||
| "Content-Security-Policy", | ||
| "default-src 'self'; " | ||
| + "script-src 'self' https://unpkg.com 'unsafe-inline'; " | ||
| + "style-src 'self' https://unpkg.com 'unsafe-inline'; " | ||
| + "img-src 'self' data:; " | ||
| + "connect-src 'self'"); | ||
|
|
||
| response.setHeader("X-Content-Type-Options", "nosniff"); | ||
| response.setHeader("X-Frame-Options", "DENY"); | ||
|
|
||
| return this.graphiqlHtml; | ||
| }, | ||
| this.getClass().getSimpleName(), | ||
| "graphiQL"); |
Collaborator
There was a problem hiding this comment.
i don't feel confident about these changes and what they're doing for us. i would recommend double checking with someone from the platform team
Collaborator
Author
There was a problem hiding this comment.
These changes are not mandatory but are required to satisfy the security compliance issue for enterprise customers. Security scanners like OWASP flag the lack of CSP headers and reported them as security vulnerability.
This has been reported in community slack.
https://datahubspace.slack.com/archives/CV2KB471C/p1762287974158799?thread_ts=1761770048.446169&cid=CV2KB471C
datahub-cyborg
bot
added
pending-submitter-response
david-leifker
approved these changes
Nov 21, 2025
datahub-cyborg
bot
added
pending-submitter-merge
and removed
pending-submitter-response
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a configuration flag to disable the GraphiQL endpoint and implements Content Security Policy (CSP) headers to address security scanner findings. This resolves blockers for air-gapped deployments and satisfies OWASP ZAP security requirements.
Changes
1. Feature Flag for GraphiQL Endpoint
@ConditionalOnPropertyannotation toGraphiQLControllergraphql.graphiql.enabled=falsetruefor backward compatibility2. Security Headers Implementation
script-src 'self' https://unpkg.com 'unsafe-inline'style-src 'self' https://unpkg.com 'unsafe-inline'img-src 'self' data:connect-src 'self'3. Configuration Updates
graphql.graphiql.enabledproperty inapplication.yamlGRAPHQL_GRAPHIQL_ENABLED4. Dependency Updates
spring-boot-autoconfiguredependency to support@ConditionalOnPropertyUse Cases
Air-Gapped Deployments
Customers in air-gapped environments can now disable the GraphiQL endpoint that requires external CDN access:
export GRAPHQL_GRAPHIQL_ENABLED=falseProduction Security
Organizations can disable developer tools in production:
Security Compliance
CSP headers now satisfy security scanner requirements (OWASP ZAP, Burp Suite, etc.)
Testing
Files Modified
metadata-service/graphql-servlet-impl/src/main/java/com/datahub/graphql/GraphiQLController.javametadata-service/configuration/src/main/resources/application.yamlmetadata-service/graphql-servlet-impl/build.gradlemetadata-service/graphql-servlet-impl/gradle.lockfileRelated Issues
Addresses security and air-gapped deployment concerns mentioned in internal discussions.
🤖 Generated with Claude Code