Help me to understand the following graphql workflow and security


so if I understand it right, every graphql request is a POST request to the route (in my dev case):


That is somehow cool but also scary, especially the fact that this route also exposes all information about my graphql solution/structure eg:

the__schema request like this:

http://localhost:3000/graphql?query={ __schema { queryType { kind fields { name args { name description defaultValue } type { kind name description } } } }}

will expose all informations about my schema. So everyone knows exactly how to design the requests. Isn’t that somehow a security issue? I mean in development this is very cool, but in production, everyone can easily get my whole database… Can I turn this off? Or should I care about this?

I am still a very beginner in web dev and maybe I am just missing something, so please point me into the right direction.