Please Rate Limit Your GraphQL API
Prevent unwanted outages caused by malicious queries
GraphQL is one of those nice technologies that help the user to create more efficient APIs. With the ability to exactly querying the needed information, the situation of under or over-fetching should be a problem of the past.
When a GraphQL API becomes more complex and circular references are getting introduced, extra dangers for the API will be introduced that can potentially end up in a denial-of-service.
The Problem
With GraphQL it is possible to create extensive object types that can be used to query objects. Inside these object types, references can be created to other object types.
When a query for a specific object is received, GraphQL uses resolvers to resolve the data for the specific object type. Resolvers are used to retrieve this data from a database or from other sources. In the situation of nested objects, with each their own resolver, multiple resolvers will be invoked to fulfill the request for the asked data. This process can be expensive on how much data is retrieved.
Let’s take the following GraphQL scheme into account:
type Query {
album(id: ID!): Album
}type Album {
photos(first: Int)…
