This means that detailed execution information (such as query performance metrics and resolver timing) is being logged for each request.
While tracing is valuable for debugging and performance optimization during development, it can pose security risks if left enabled in a production environment. Tracing information can expose sensitive details about the backend system, including resolver structures, database queries, and processing times, which could be exploited by attackers to gain insights into the internal workings of the API. This data can also be used to identify performance bottlenecks and sensitive information that could aid in an attack.
An attacker queries the GraphQL API with specific requests that trigger detailed tracing logs. By analyzing the trace data, the attacker gains insight into the database schema, internal API logic, and performance bottlenecks. The attacker could use this information to craft optimized queries that target vulnerable parts of the system, such as exploiting slow database queries or finding unoptimized resolvers to overload the system.
