diff --git a/packages/core/strapi/lib/middlewares/body.js b/packages/core/strapi/lib/middlewares/body.js
index 6af0390515..9cc36df357 100644
--- a/packages/core/strapi/lib/middlewares/body.js
+++ b/packages/core/strapi/lib/middlewares/body.js
@@ -27,12 +27,15 @@ function getFiles(ctx) {
 module.exports = (config, { strapi }) => {
   const bodyConfig = defaultsDeep(defaults, config);
 
-  const { config: gqlConfig } = strapi.plugin('graphql');
-  const gqlEndpoint = gqlConfig('endpoint');
+  let gqlEndpoint;
+  if (strapi.plugin('graphql')) {
+    const { config: gqlConfig } = strapi.plugin('graphql');
+    gqlEndpoint = gqlConfig('endpoint');
+  }
 
   return async (ctx, next) => {
     // TODO: find a better way later
-    if (ctx.url === gqlEndpoint) {
+    if (gqlEndpoint && ctx.url === gqlEndpoint) {
       await next();
     } else {
       try {
diff --git a/packages/core/strapi/lib/middlewares/security.js b/packages/core/strapi/lib/middlewares/security.js
index 88dc7dedf8..6527d59276 100644
--- a/packages/core/strapi/lib/middlewares/security.js
+++ b/packages/core/strapi/lib/middlewares/security.js
@@ -35,13 +35,14 @@ module.exports =
   (config, { strapi }) =>
   (ctx, next) => {
     let helmetConfig = defaultsDeep(defaults, config);
-    const { config: gqlConfig } = strapi.plugin('graphql');
-    const gqlEndpoint = gqlConfig('endpoint');
+    const specialPaths = ['/documentation'];
 
-    if (
-      ctx.method === 'GET' &&
-      [gqlEndpoint, '/documentation'].some((str) => ctx.path.startsWith(str))
-    ) {
+    if (strapi.plugin('graphql')) {
+      const { config: gqlConfig } = strapi.plugin('graphql');
+      specialPaths.push(gqlConfig('endpoint'));
+    }
+
+    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {
       helmetConfig = merge(helmetConfig, {
         contentSecurityPolicy: {
           directives: {