Security Researcher Detected: You might have ended up here because your site vulnerability scanner found something interesting. Hi! I'm a security engineer and I'm having a good time interacting with the people and bots that are interested in information security.
You will hopefully find this site is well-secured and I'm not interested in being hacked. I'm interested in learning about how people try to hack me, though.
What is this endpoint?
api/v1/hasura/metadata
Hasura Metadata API
What an attacker could do
An unprotected Hasura metadata endpoint lets an attacker read the full GraphQL schema, permissions, and remote/event configurations, and if the admin secret leaks, rewrite permissions to expose all underlying database tables.
How to defend it
Set a strong `HASURA_GRAPHQL_ADMIN_SECRET`, disable the console and metadata APIs in production, and restrict the metadata/admin endpoints to internal networks only.
Connect with the Security Engineer
Learn More
Want to dive deeper into this topic? Check out the official documentation.
Read Official Documentation