Great article from Max Stoiber, CTO of Spectrum, on how to secure your GraphQL API from malicious queries.
- limit the incoming query size – a first, naive approach
- whitelist of approved queries – using persistgraphql – but has two major tradeoffs
- depth limiting (always recommended) – using graphql-depth-limit
- amount limiting (always recommended) – fetching the number of objects defined by a custom scalar created with graphql-input-number, that restricts the maximum value (e.g. 100)
- query cost analysis (if you want to be extra safe) – using graphql-validation-complexity, graphql-cost-analysis with @cost directive. Determine how complex certain resolvers are via the performance tracking data exposed by Apollo Engine.
The GitHub GraphQL API also uses Query Cost Analysis