PHPackages emran-alhaddad/statamic-graphql-protect - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. emran-alhaddad/statamic-graphql-protect ActiveStatamic-addon[Security](/categories/security) emran-alhaddad/statamic-graphql-protect ======================================= Protect Statamic /graphql (rebing/graphql-laravel) with token + optional IP allow list. v1.0.4(3mo ago)4121MITPHPPHP ^8.2 Since Dec 9Pushed 3mo agoCompare [ Source](https://github.com/emran-alhaddad/statamic-graphql-protect)[ Packagist](https://packagist.org/packages/emran-alhaddad/statamic-graphql-protect)[ RSS](/packages/emran-alhaddad-statamic-graphql-protect/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (1)Dependencies (2)Versions (6)Used By (0) Statamic GraphQL Protect ======================== [](#statamic-graphql-protect) πŸ” **Secure your Statamic GraphQL endpoint** A lightweight, production-ready addon that protects Statamic’s `/graphql` endpoint using a **token-based middleware** with optional **IP allow-listing**. Perfect for headless setups (Next.js, Nuxt, mobile apps) where public GraphQL access must be locked down **without changing existing queries**. πŸ‘‰ **Statamic Marketplace:** --- πŸ“¦ Package Information --------------------- [](#-package-information) [![Statamic Addon](https://camo.githubusercontent.com/49fec63271e4f3e459d616084e262597fe65ee0f8cf79f46eb2c62441e42d6bb/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f53746174616d69632d4164646f6e2d6f72616e6765)](https://statamic.com/addons/emran-alhaddad/statamic-graphql-protect)[![Latest Version](https://camo.githubusercontent.com/30899fb0a7161caa6263ca4b73bad8107ccedef1b293e2bb6c508ef69a9c9061/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f656d72616e2d616c6861646461642f73746174616d69632d6772617068716c2d70726f74656374)](https://github.com/emran-alhaddad/statamic-graphql-protect/releases)[![Total Downloads](https://camo.githubusercontent.com/55377dfa1f48e0534e511ffb33bd2d2044a43c54c2ed4b9a2becb9bdfb99e2ae/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f656d72616e2d616c6861646461642f73746174616d69632d6772617068716c2d70726f74656374)](https://packagist.org/packages/emran-alhaddad/statamic-graphql-protect)[![License](https://camo.githubusercontent.com/e0e4b9baacdb6e035273e77e6ccae596645048ca0758e5be32da646121dc8d27/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f656d72616e2d616c6861646461642f73746174616d69632d6772617068716c2d70726f74656374)](LICENSE)[![Maintenance](https://camo.githubusercontent.com/ce76ae1c46e1e75761aac5a8ae55f26a42546391c387c7f80b51a9f8274ec57b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4d61696e7461696e65642d7965732d627269676874677265656e)](https://github.com/emran-alhaddad/statamic-graphql-protect/graphs/commit-activity)[![PRs Welcome](https://camo.githubusercontent.com/8044932e4d65e1fbb9c1a6748c252052df35e41ac18b4a6548aba1ce19a72a40/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5052732d77656c636f6d652d627269676874677265656e)](https://github.com/emran-alhaddad/statamic-graphql-protect/pulls) --- πŸš€ Features ---------- [](#-features) - πŸ” Token-protected `/graphql` endpoint - πŸ›‘οΈ Optional IP allow-list - 🧩 Works with Statamic’s GraphQL layer (Rebing GraphQL under the hood) - βš™οΈ Fully configurable via `.env` - πŸ—‚οΈ Middleware-based (no route overrides) - 🧼 No Statamic core hacks or forks --- πŸ“¦ Installation -------------- [](#-installation) Install via Composer: ``` composer require emran-alhaddad/statamic-graphql-protect ``` Publish the config file: ``` php artisan vendor:publish --tag=statamic-graphql-protect ``` --- βš™οΈ Configuration ---------------- [](#️-configuration) Published config file: ``` config/statamic-graphql-protect.php ``` ### Example `.env` configuration: [](#example-env-configuration) ``` STATAMIC_GRAPHQL_PROTECT_ENABLED=true STATAMIC_GRAPHQL_TOKEN=long-secreat-token STATAMIC_GRAPHQL_TOKEN_HEADER=X-Statamic-GraphQL-Token STATAMIC_GRAPHQL_ALLOWED_IPS=127.0.0.1,1.2.3.4 ``` Your frontend **must send** the header: ``` X-Statamic-GraphQL-Token: ``` --- ⚠️ REQUIRED: Register Middleware in Statamic GraphQL Config ----------------------------------------------------------- [](#️-required-register-middleware-in-statamic-graphql-config) This addon does **not** automatically inject itself into every Statamic install. You **must** manually register the middleware. Open: ``` config/statamic/graphql.php ``` Add the middleware to the `middleware` array: ``` return [ // ... 'middleware' => [ \Emran\StatamicGraphqlProtect\Http\Middleware\ProtectGraphql::class, // other GraphQL middleware (if any) ], // ... ]; ``` > ❗ Without this step, `/graphql` will remain public. --- πŸ§ͺ Example Usage --------------- [](#-example-usage) ### ❌ Request without token (blocked) [](#-request-without-token-blocked) ``` curl https://your-domain.com/graphql \ -H "Content-Type: application/json" \ -d '{"query":"{ ping }"}' ``` Response: ``` { "message": "Invalid or missing GraphQL token." } ``` --- ### βœ… Request with token (allowed) [](#-request-with-token-allowed) ``` curl https://your-domain.com/graphql \ -H "Content-Type: application/json" \ -H "X-Statamic-GraphQL-Token: your-token" \ -d '{"query":"{ ping }"}' ``` Response: ``` { "data": { "ping": "pong" } } ``` --- πŸ”§ Postman Setup --------------- [](#-postman-setup) 1. **Headers** KeyValueX-Statamic-GraphQL-Tokenyour-tokenContent-Typeapplication/json2. **Body β†’ Raw β†’ JSON** ``` { "query": "{ ping }" } ``` 3. Send βœ… --- ⚠️ IMPORTANT: Disable Statamic GraphQL Cache -------------------------------------------- [](#️-important-disable-statamic-graphql-cache) Statamic’s GraphQL cache **does NOT respect request headers**. If enabled: - First unauthenticated request β†’ 401 cached β†’ everyone gets 401 - First authenticated request β†’ 200 cached β†’ endpoint effectively public ### βœ… Disable it: [](#-disable-it) Edit: ``` config/statamic/graphql.php ``` ``` 'cache' => false, ``` or: ``` 'cache' => [ 'expiry' => 0, ], ``` Then clear caches: ``` php artisan config:clear php artisan cache:clear php artisan statamic:stache:clear ``` > βœ… Recommended: cache at **Next.js / CDN / Edge** level, not inside Statamic. --- πŸ”„ Compatibility --------------- [](#-compatibility) - βœ… Statamic v4 / v5 - βœ… PHP 8.1+ - βœ… Headless & traditional installs - βœ… Next.js / Nuxt / Mobile apps --- πŸ“ Directory Structure --------------------- [](#-directory-structure) ``` statamic-graphql-protect/ β”œβ”€ src/ β”‚ β”œβ”€ Http/Middleware/ProtectGraphql.php β”‚ └─ ServiceProvider.php β”œβ”€ config/statamic-graphql-protect.php β”œβ”€ composer.json β”œβ”€ README.md └─ LICENSE ``` --- 🩺 Troubleshooting ----------------- [](#-troubleshooting) ### β€œInvalid or missing GraphQL token” [](#invalid-or-missing-graphql-token) - Header name mismatch - Token contains whitespace - Middleware not registered in `config/statamic/graphql.php` ### Works in cURL but not Postman [](#works-in-curl-but-not-postman) - Use **Body β†’ Raw β†’ JSON** - Ensure headers are manually added ### Random 200 / 401 responses [](#random-200--401-responses) - GraphQL cache still enabled - Disable it and clear caches --- πŸ‘€ Author -------- [](#-author) **Emran Alhaddad**GitHub: Statamic Addons: --- πŸ“„ License --------- [](#-license) MIT License See the `LICENSE` file for full details. ### Health Score 39 β€” LowBetter than 86% of packages Maintenance80 Actively maintained with recent releases Popularity10 Limited adoption so far Community7 Small or concentrated contributor base Maturity51 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits β€” single point of failure How is this calculated?**Maintenance (25%)** β€” Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** β€” Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** β€” Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** β€” Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~11 days Total 5 Last Release 107d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/7cad96f9e9c3c7a4600d1f5c458f3fbce165cbbcfa4600335fae50f5acf59b05?d=identicon)[emran-alhaddad](/maintainers/emran-alhaddad) --- Top Contributors [![emran-alhaddad](https://avatars.githubusercontent.com/u/65433346?v=4)](https://github.com/emran-alhaddad "emran-alhaddad (14 commits)") ### Embed Badge ![Health badge](/badges/emran-alhaddad-statamic-graphql-protect/health.svg) ``` [![Health](https://phpackages.com/badges/emran-alhaddad-statamic-graphql-protect/health.svg)](https://phpackages.com/packages/emran-alhaddad-statamic-graphql-protect) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption) PHPackages Β© 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)