# "Understanding GraphQL Security: Protecting Your Server from Abuse" Resources

%[https://www.youtube.com/watch?v=2peiqLuKKgs] 

Supporting resource for my talk at GraphQL Summit, **"Understanding GraphQL Security: Protecting Your Server from Abuse" Resources**

%[https://docs.google.com/presentation/d/1n57LAAscp3KpWydJ8SkfRj4Bd4Vi8oxQDoetDJ8dD_Y/edit] 

### GraphQL server features to limit or disable in production

* **Disable Introspection** - Not only disable GraphiQL but also prevent introspection.
    
* **Block field suggestions** - Prevent returning field suggestions and leaking your schema to unauthorized actors.
    
* **Character Limit** - Limit the number of characters in a GraphQL query document.
    
* **Cost limit** - Limit the complexity of a GraphQL document.
    
* **Max Aliases** - Limit the number of aliases in a GraphQL document.
    
* **Max Depth** - Limit the depth of a GraphQL document.
    
* **Max Directives** - Limit the number of directives in a GraphQL document.
    

## Learning Resource

* [GraphQL Cheat Sheet - Learning resource for possible vulnerabilities attack vectors](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html)
    
* [Black Hat GraphQL](https://nostarch.com/black-hat-graphql)
    
    [![](https://cdn.hashnode.com/res/hashnode/image/upload/v1696476208815/2e2cdc2f-3696-4762-b47b-a9c7fa8fede0.png align="left")](https://nostarch.com/black-hat-graphql)
    

## Language Specific Solutions

### NodeJS

* [GraphQL Armor - Add a security layer to Apollo Server, GraphQL Yoga, Envelop](https://escape.tech/graphql-armor/docs/getting-started)
    

### Elixir

* [Safety Limits - Absinthe configurations to help enforce cost and token limits](https://hexdocs.pm/absinthe/complexity-analysis.html)
    
* [Vigil - Disallows introspection of a GraphQL schema and sanitizes error messages to be completely generic and not reveal information about your schema.](https://hexdocs.pm/vigil/Vigil.html)
    
* [AbsintheSecurity - provides utilities to improve the security posture of APIs built with Absinthe GraphQL.](https://hexdocs.pm/absinthe_security/readme.html)
    

### Ruby GraphQL

* [How to set max\_depth and max\_complexity to apply limits to incoming queries.](https://graphql-ruby.org/schema/definition.html#default-limits)
    
* [Disable introspection](https://graphql-ruby.org/schema/introspection.html#disabling-introspection)
