Security in a GraphQL service

Auth: Authentication & authorization.
Operation safe-listing.
- Or alternatively:
  - Depth-limiting.
  - Breadth-limiting.
  - Alias limits.
  - Cycle rejection.
  - Cost analysis.
Execution timeouts.

Cross Site Request Forgery -- CSRF

Client must:
- Send operations via GET.
- Multipart upload requests must include Apollo-Require-Preflight.

Cross-Origin Resource Sharing -- CORS

An extra layer of protection.
An HTTP-header-based protocol that enables a server to dictate:
- Which origins can access its resources.
- Which types of HTTP requests are allowed.
# Same-origin policy (SOP):
- A security mechanism.
- Restricts scripts on one origin from interacting with resources from another origin.
If two URLs differ in their domain, protocol, or port, then those URLs come from two different origins.

Tip

CORS is a new protocol to relax SOP and safely share resources across different origins.
Related to browser security: cannot prevent other softwares from making requests for resources on the server. Like cURL that can by pass the CORS configurations.
Learn how to implement it in AWS, ExpressJS, and with GitHub self-hosted runners here.

Denial of Service attack

Protect your GraphQL servers against resource exhaustion and DoS attacks.
- Reject queries to your GraphQL server that are deemed too costly to execute.
- Learn more here.
To do this we need to perform analysis the cost of executing a query.
There are tools that can help us to do this:
- graphql-query-complexity.

It is directly related to your GraphQL schema design:

If you can send the following query to your GraphQL service:

query {
  getPosts {
    id
    author {
      posts {
        id
        author {
          posts {
            id
            author {
              posts {
                id
                author {
                  id
                }
              }
            }
          }
        }
      }
    }
  }
}

And let's assume like in our example you're using a tool like join-monster which will convert your query into this SQL:

SELECT
    "getPosts"."id" AS "id",
    "author"."id" AS "author__id",
    "posts"."id" AS "author__posts__id",
    "author$"."id" AS "author__posts__author$__id",
    "posts$"."id" AS "author__posts__author$__posts$__id",
    "author$$"."id" AS "author__posts__author$__posts$__author$$__id",
    "posts$$"."id" AS "author__posts__author$__posts$__author$$__posts$$__id",
    "author$$$"."id" AS "author__posts__author$__posts$__author$$__posts$$__author$$$__id"
FROM post "getPosts"
LEFT JOIN public.user "author" ON "author".id = "getPosts"."authorId"
LEFT JOIN post "posts" ON "author".id = "posts"."authorId"
LEFT JOIN public.user "author$" ON "author$".id = "posts"."authorId"
LEFT JOIN post "posts$" ON "author$".id = "posts$"."authorId"
LEFT JOIN public.user "author$$" ON "author$$".id = "posts$"."authorId"
LEFT JOIN post "posts$$" ON "author$$".id = "posts$$"."authorId"
LEFT JOIN public.user "author$$$" ON "author$$$".id = "posts$$"."authorId"

Note

A couple of notes:

The project for this can be found here: apps/dos-attack-example.
- To learn how to run it read this doc.
And this query on my local system took a long time so I just killed my project and never bother to see if this actually can return any result.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security

docs/security.md

Security in a GraphQL service

Cross Site Request Forgery -- CSRF

Cross-Origin Resource Sharing -- CORS

Denial of Service attack

There aren’t any published security advisories

Security: kasir-barati/graphql-js-ts

Security

docs/security.md

Security in a GraphQL service

Cross Site Request Forgery -- CSRF

Cross-Origin Resource Sharing -- CORS

Denial of Service attack

There aren’t any published security advisories