Supporting resource for my talk at GraphQL Summit, "Understanding GraphQL Security: Protecting Your Server from Abuse" Resources

GraphQL server features to limit or disable in production

• Disable Introspection - Not only disable GraphiQL but also prevent introspection.

• Block field suggestions - Prevent returning field suggestions and leaking your schema to unauthorized actors.

• Character Limit - Limit the number of characters in a GraphQL query document.

• Cost limit - Limit the complexity of a GraphQL document.

• Max Aliases - Limit the number of aliases in a GraphQL document.

• Max Depth - Limit the depth of a GraphQL document.

• Max Directives - Limit the number of directives in a GraphQL document.

Learning Resource

• GraphQL Cheat Sheet - Learning resource for possible vulnerabilities attack vectors

• Black Hat GraphQL

  

Language Specific Solutions

NodeJS

• GraphQL Armor - Add a security layer to Apollo Server, GraphQL Yoga, Envelop

Elixir

• Safety Limits - Absinthe configurations to help enforce cost and token limits

• Vigil - Disallows introspection of a GraphQL schema and sanitizes error messages to be completely generic and not reveal information about your schema.

Ruby GraphQL

• How to set max_depth and max_complexity to apply limits to incoming queries.

• Disable introspection