Protecting Your GraphQL API From Security Vulnerabilities

Tom Nagle
The Startup
Published in
4 min readDec 5, 2019

--

GraphQL is quickly becoming the tool of choice for developers that need to build an API for their client application. But like all new technologies, GraphQL comes with its own threat landscape. Whether you’re building a side project or a large-scale enterprise application, you’ll need to make sure you’re protecting yourself against these GraphQL security vulnerabilities.

While the threats listed in this post are specific to GraphQL, your implementation will introduce a new set of threats that have to be addressed. It’s also important that you understand the threats that put every application exposed to the internet at risk.

Threat: Large, deeply nested queries that are expensive to compute

Solution: Depth limiting

The power that GraphQL provides comes with some new security threats. The most common is deeply nested queries that result in expensive computations and large JSON payloads that can disrupt your network quality, or take it down altogether.

The right way to protect your API from this kind of attack is to limit query depth so maliciously deep queries are blocked before the result is computed.

--

--

Tom Nagle
The Startup

I am a full stack JavaScript developer, living in Melbourne, Australia. My preferred stack is Mongoose, TypeScript, Node.js, React & GraphQL.