# Hasura Security Scanner — anon-role GraphQL leaks (`renzomacar/hasura-security-scanner`) Actor Probes a public Hasura GraphQL endpoint for tables readable by the anon role. Works for self-hosted, Hasura Cloud, and frameworks on top. Counts only. - **URL**: https://apify.com/renzomacar/hasura-security-scanner.md - **Developed by:** [Renzo Madueno](https://apify.com/renzomacar) (community) - **Categories:** Developer tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Hasura Security Scanner — Find anon-role table leaks > **Hasura's permission UI is per-role per-table — and the `anon` role's row checks ship with `with no check` selected in every copy-pasted tutorial.** That single dropdown leaks every table the anon role has SELECT on. **This actor finds those leaks in 30 seconds.** Probes a public Hasura GraphQL endpoint (self-hosted Hasura, Hasura Cloud, or any framework on top) for **tables readable by the `anon` role**. Sends `_aggregate { count }` + sample queries per table. Counts only — never row data. > 💸 **Two ways to get this fixed:** > - **$29** quick scan + 1-page report in 24h ([Stripe](https://buy.stripe.com/00w4gz9TWef0dWV4r0cAo0u)) — for when you want a sanity check before committing > - **$99** full turnkey audit + anon-role rewrites + verification, 48h, money-back ([Stripe](https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01)) > ⭐️ **Solo dev competing with bigger Apify publishers.** A [30-second review](https://apify.com/renzomacar/hasura-security-scanner#reviews) is the single thing that lifts ranking. Thank you. ### Why this exists Hasura is the GraphQL standard for many teams — but its permission model is easy to get wrong. The `anon` role is the role used when no auth token is sent, and Hasura applies it across **every** table query unless you explicitly deny it. Common ways anon SELECT leaks happen: 1. **Copy-pasted permissions** from a tutorial that says "let anon read posts" → bleeds into adjacent tables (users, sessions) 2. **Row aggregation enabled** on the anon role → `_aggregate { count }` leaks row totals even when individual reads are blocked 3. **Hasura Cloud free-tier templates** ship with anon SELECT enabled on demo tables so you can test 4. **Permission migrations** sometimes don't apply cleanly and the anon role inherits prior permissive state This scanner probes ~32 common table names (users, orders, sessions, posts, etc.) plus any hints you pass. It runs two queries per table: `_aggregate { count }` (proves exposure) + `(limit: 1) { __typename }` (sample row). ### How to run Either: 1. **Leave inputs empty** + click **Run** for a DEMO sample report 2. **Provide your `graphqlUrl`** to scan your actual endpoint ```json { "graphqlUrl": "https://your-app.hasura.app/v1/graphql", "tableHints": ["custom_table", "schema_v2"], "outputFormat": "both" } ```` ### What you get - **HTML report** in run's KV store: severity-coded findings, copy-pasteable curl reproducers, exact Hasura Console steps to fix - **Dataset rows**: one structured row per finding ### Sample finding ``` [CRITICAL] sessions — readable by anon role Total records: 18,943 Sample columns: id, user_id, token, expires_at, user_agent, ip_address, created_at Sensitive columns detected: token, ip_address Reproducer: curl -X POST 'https://your-app.hasura.app/v1/graphql' \\ -H 'content-type: application/json' \\ -d '{"query":"{ sessions_aggregate { aggregate { count } } sessions(limit: 1) { id user_id } }"}' ``` ### How to fix (Hasura Console) 1. Open **Hasura Console → Data** 2. Click the leaky table 3. Click **Permissions** tab 4. Click the row for the `anon` role 5. For SELECT: set a row check anon cannot satisfy (e.g., `user_id _eq X-Hasura-User-Id` — anon doesn't carry this), or delete the permission entirely 6. Click **Save** then re-run this scanner ### Ethical use - **Only scan endpoints you own** or have explicit permission to scan - Probe queries use `_aggregate` + `limit: 1` to confirm exposure without exfiltrating contents ### Related - **$29 quick scan + report**: [buy.stripe.com/00w4gz9TWef0dWV4r0cAo0u](https://buy.stripe.com/00w4gz9TWef0dWV4r0cAo0u) - **$99 turnkey full audit**: [buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01](https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01) - **Weekly auto-scans ($29/mo)**: [rls-monitor.vercel.app](https://rls-monitor.vercel.app/) - **Sister scanners**: [Supabase](https://apify.com/renzomacar/supabase-rls-scanner), [Firebase](https://apify.com/renzomacar/firebase-security-auditor), [Strapi](https://apify.com/renzomacar/strapi-security-scanner), [Directus](https://apify.com/renzomacar/directus-security-scanner), [Payload CMS](https://apify.com/renzomacar/payload-security-scanner), [Convex](https://apify.com/renzomacar/convex-security-scanner), [PocketBase](https://apify.com/renzomacar/pocketbase-security-scanner), [Appwrite](https://apify.com/renzomacar/appwrite-security-auditor), [Nhost](https://apify.com/renzomacar/nhost-security-scanner) (Hasura on Nhost). Built by [Renzo](https://github.com/Perufitlife). # Actor input Schema ## `graphqlUrl` (type: `string`): Full URL to your /v1/graphql endpoint. Examples: https://your-app.hasura.app/v1/graphql, https://hasura.your-domain.com/v1/graphql. Leave empty + click Run for sample report. ## `tableHints` (type: `array`): Beyond ~30 common table names, list any custom GraphQL type names from your Hasura schema. ## `outputFormat` (type: `string`): JSON for programmatic use; HTML report saved to KV store under report.html. ## Actor input object example ```json { "tableHints": [], "outputFormat": "both" } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("renzomacar/hasura-security-scanner").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("renzomacar/hasura-security-scanner").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call renzomacar/hasura-security-scanner --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=renzomacar/hasura-security-scanner", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Hasura Security Scanner — anon-role GraphQL leaks", "description": "Probes a public Hasura GraphQL endpoint for tables readable by the anon role. Works for self-hosted, Hasura Cloud, and frameworks on top. Counts only.", "version": "0.1", "x-build-id": "QgGKCfwbKPiGpiWO2" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/renzomacar~hasura-security-scanner/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-renzomacar-hasura-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/renzomacar~hasura-security-scanner/runs": { "post": { "operationId": "runs-sync-renzomacar-hasura-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/renzomacar~hasura-security-scanner/run-sync": { "post": { "operationId": "run-sync-renzomacar-hasura-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "graphqlUrl": { "title": "Hasura GraphQL endpoint URL (leave empty for DEMO)", "type": "string", "description": "Full URL to your /v1/graphql endpoint. Examples: https://your-app.hasura.app/v1/graphql, https://hasura.your-domain.com/v1/graphql. Leave empty + click Run for sample report." }, "tableHints": { "title": "Extra GraphQL types to probe (optional)", "type": "array", "description": "Beyond ~30 common table names, list any custom GraphQL type names from your Hasura schema.", "default": [], "items": { "type": "string" } }, "outputFormat": { "title": "Output format", "enum": [ "json", "html-report", "both" ], "type": "string", "description": "JSON for programmatic use; HTML report saved to KV store under report.html.", "default": "both" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```