How to Guides

Secure your GraphQL API with Zuplo

Secure your GraphQL API with Zuplo

GraphQL is a powerful query language for your APIs. While it offers great flexibility for clients, it also exposes potential security risks. Fortunately, with Zuplo, you can secure your GraphQL API by implementing various policies. This article walks you through our security policies: GraphQL Complexity Limit, and GraphQL Disable Introspection.

1. Understanding the Risks

a. Deeply Nested Queries

Without restrictions, a client can send deeply nested queries that could potentially overwhelm your server, resulting in a Denial of Service (DoS) attack. This is because deeply nested queries can cause the server to process a huge amount of data and operations. While this might be a planed attack, it could also be a mistake by a client who is unaware of the query depth limit.

b. Query Complexity

Even without deep nesting, a query can be crafted to be very complex. This could force your server to execute resource-intensive operations, potentially slowing down the system or causing a DoS.

c. Introspection

GraphQL allows clients to introspect your schema. While this is beneficial during development, it can expose detailed schema information to potential attackers in production.

2. Add your GraphQL API & setting up Policies

Setup POST endpoint

If you didn't already do so, you need to setup a POST endpoint in your API. This endpoint will be used to send the GraphQL queries to your API. We'll use the urlRewriteHandler to rewrite the request to your GraphQL API. For this example let's assume your GraphQL API is hosted at https://api.example.com/graphql.

To do so, add the following to your config/routes.oas.json

{
  "post": {
    "summary": "GraphQL Query",
    "description": "The endpoint for GraphQL queries.",
    "x-zuplo-route": {
      "corsPolicy": "none",
      "handler": {
        "export": "urlRewriteHandler",
        "module": "$import(@zuplo/runtime)",
        "options": {
          "rewritePattern": "https://api.example.com/graphql"
        }
      },
      "policies": {
        "inbound": [
          "graphql-complexity-limit-policy",
          "graphql-disable-introspection-policy"
        ]
      }
    },
    "operationId": "52bdf225-eaa7-441c-afb9-b7df046a142e"
  }
}
json

For all the risks mentioned above, Zuplo offers policies that can be configured to protect your GraphQL API. These policies can be configured for Zuplo. We'll create the configuration for the three policies graphql-depth-limit, graphql-complexity-points and graphql-disable-introspection-policy next.

a. GraphQL Depth Limit

This policy limits how deep a query can be nested. Check our detailed policy documentation for more information.

Add this into your config/policies.json

{
  "policies": [
    {
      "name": "graphql-complexity-limit-policy",
      "policyType": "graphql-complexity-limit-inbound",
      "handler": {
        "export": "GraphQLComplexityLimitInboundPolicy",
        "module": "$import(@zuplo/graphql)",
        "options": {
          "useDepthLimit": {
            "depthLimit": 20
          }
        }
      }
    }
  ]
}
json

By limiting the query depth, you prevent malicious or mistakenly deep queries from consuming excessive server resources.

b. GraphQL Complexity Limit

We can extend the same policy to also check for compexity. By defining a max for each type of operation, and then it limits the total complexity a query can have. In order to use the Complexity Limit you need to allow introspection in your GraphQL API.

{
  "policies": [
    {
      "name": "graphql-complexity-limit-policy",
      "policyType": "graphql-complexity-limit-inbound",
      "handler": {
        "export": "GraphQLComplexityLimitInboundPolicy",
        "module": "$import(@zuplo/graphql)",
        "options": {
          "useDepthLimit": {
            "depthLimit": 20
          },
          "useComplexityLimit": {
            "complexityLimit": 50,
            "endpointUrl": "https://api.example.com/graphql"
          }
        }
      }
    }
  ]
}
json

The complexity limit ensures that a potential attacker can't overload the system by sending overly complicated queries.

c. GraphQL Disable Introspection

Disable introspection in production environments to hide schema details.

{
  "policies": [
    {
      "name": "graphql-disable-introspection-policy",
      "policyType": "graphql-disable-introspection-inbound",
      "handler": {
        "export": "GraphQLDisableIntrospectionInboundPolicy",
        "module": "$import(@zuplo/graphql)",
        "options": {}
      }
    }
  ]
}
json

By disabling introspection in production, you prevent attackers from gaining insights into your GraphQL schema, thereby reducing potential attack vectors.

4. Example Repository

For those who prefer a hands-on approach or wish to see these configurations in action, we've created a GitHub repository with everything set up. This repository offers a comprehensive example of how to configure and secure a GraphQL API using Zuplo. Check out the GraphQL API with Zuplo example repository to dive deeper.