GR
GraphQL Security
GraphQL security practices for introspection, authorization, and injection prevention
Details
Language / Topic
GraphQLCategory
Security
Rules
balanced
- Disable introspection (`introspection: false`) in production — exposing the full schema aids attackers in crafting targeted queries.
- Implement field-level authorization inside resolvers or with a directive like `@auth(requires: ADMIN)` — never rely solely on REST gateway auth.
- Enforce query depth limits (`graphql-depth-limit`) and complexity budgets to prevent denial-of-service via deeply nested or exponentially expensive queries.
- Validate and sanitize all mutation input arguments — even though GraphQL provides type safety, string scalars still accept arbitrary content.
- Use persisted queries (APQ) or operation allow-listing in production to reject ad-hoc queries from untrusted clients.
- Apply rate limiting per client at the operation level using `graphql-rate-limit` — track by IP and authenticated user ID.
- Never return internal entity IDs directly as `ID` scalars — use opaque global IDs (`base64(Type:dbId)`) to prevent enumeration attacks.