graphQLProtection

graphQLProtection

Check GraphQL-over-HTTP requests, enforcing several limits and/or restrictions. This effectively helps to reduce the attack surface.

GraphQL Specification "October2021" is used. (But GraphQL only covers formulation of Documents/Queries.)

GraphQL-over-HTTP, which specifies how to submit GraphQL queries via HTTP, has not been released/finalized yet. We therefore use Version a1e6d8ca.

Only GraphQL documents conforming to the 'ExecutableDocument' of the grammar are allowed: This includes the usual 'query', 'mutation', 'subscription' and 'fragment's.

Attributes

Name	Required	Default	Description	Example
maxDepth	false	7	How deep queries can be nested.	-
maxMutations	false	5	Limit how many mutations can be defined in a document query.	2
allowExtensions	false	false	Whether to allow GraphQL "extensions".	true
maxRecursion	false	3	How deep recursive parts of queries can be nested.	-
allowedMethods	false	GET, POST	Which HTTP methods to allow. Note that per the GraphQL-over-HTTP spec, you need POST for mutation or subscription queries.	-

Name

Required

Default

Description

Example

maxDepth

false

How deep queries can be nested.

maxMutations

false

Limit how many mutations can be defined in a document query.

allowExtensions

false

Whether to allow GraphQL "extensions".

true

maxRecursion

false

How deep recursive parts of queries can be nested.

allowedMethods

false

GET, POST

Which HTTP methods to allow. Note that per the GraphQL-over-HTTP spec, you need POST for mutation or subscription queries.

Can be used in:

Attributes