From 9ad6931823c383cb971fa519178f45884f5bc6df Mon Sep 17 00:00:00 2001
From: Alexandre Bodin <bodin.alex@gmail.com>
Date: Wed, 24 Aug 2022 15:41:37 +0200
Subject: [PATCH 1/2] Loading a plugin should always verify its presence

---
 packages/core/strapi/lib/middlewares/body.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/core/strapi/lib/middlewares/body.js b/packages/core/strapi/lib/middlewares/body.js
index 6af0390515..9cc36df357 100644
--- a/packages/core/strapi/lib/middlewares/body.js
+++ b/packages/core/strapi/lib/middlewares/body.js
@@ -27,12 +27,15 @@ function getFiles(ctx) {
 module.exports = (config, { strapi }) => {
   const bodyConfig = defaultsDeep(defaults, config);
 
-  const { config: gqlConfig } = strapi.plugin('graphql');
-  const gqlEndpoint = gqlConfig('endpoint');
+  let gqlEndpoint;
+  if (strapi.plugin('graphql')) {
+    const { config: gqlConfig } = strapi.plugin('graphql');
+    gqlEndpoint = gqlConfig('endpoint');
+  }
 
   return async (ctx, next) => {
     // TODO: find a better way later
-    if (ctx.url === gqlEndpoint) {
+    if (gqlEndpoint && ctx.url === gqlEndpoint) {
       await next();
     } else {
       try {

From fd8e4c6bfa2fd687a3c62f8428e00f3b320c32c2 Mon Sep 17 00:00:00 2001
From: Alexandre Bodin <bodin.alex@gmail.com>
Date: Wed, 24 Aug 2022 15:47:43 +0200
Subject: [PATCH 2/2] Add check in security middleware

---
 packages/core/strapi/lib/middlewares/security.js | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/packages/core/strapi/lib/middlewares/security.js b/packages/core/strapi/lib/middlewares/security.js
index 88dc7dedf8..6527d59276 100644
--- a/packages/core/strapi/lib/middlewares/security.js
+++ b/packages/core/strapi/lib/middlewares/security.js
@@ -35,13 +35,14 @@ module.exports =
   (config, { strapi }) =>
   (ctx, next) => {
     let helmetConfig = defaultsDeep(defaults, config);
-    const { config: gqlConfig } = strapi.plugin('graphql');
-    const gqlEndpoint = gqlConfig('endpoint');
+    const specialPaths = ['/documentation'];
 
-    if (
-      ctx.method === 'GET' &&
-      [gqlEndpoint, '/documentation'].some((str) => ctx.path.startsWith(str))
-    ) {
+    if (strapi.plugin('graphql')) {
+      const { config: gqlConfig } = strapi.plugin('graphql');
+      specialPaths.push(gqlConfig('endpoint'));
+    }
+
+    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {
       helmetConfig = merge(helmetConfig, {
         contentSecurityPolicy: {
           directives: {