TL;DR
GraphQL has unique security concerns. Disable introspection in production, limit query depth and complexity, implement proper field-level authorization, and be careful with batching. Unlike REST, GraphQL exposes your entire schema by default and allows clients to request exactly what they want, which creates new attack surfaces.
Common GraphQL Security Issues
1. Introspection Enabled in Production
Introspection lets anyone query your entire schema, revealing all types, fields, and relationships.
// Apollo Server
const server = new ApolloServer({
typeDefs,
resolvers,
introspection: process.env.NODE_ENV !== 'production'
});
2. Deep/Nested Queries (DoS)
# Attacker creates deeply nested query
query {
user(id: 1) {
friends {
friends {
friends {
friends {
friends { # ... continues 100 levels deep
}
}
}
}
}
}
}
3. Batching Attacks
# Send 1000 login attempts in one request
query {
a: login(email: "user@x.com", pass: "pass1") { token }
b: login(email: "user@x.com", pass: "pass2") { token }
c: login(email: "user@x.com", pass: "pass3") { token }
# ... 997 more attempts
}
How to Secure GraphQL
- Disable introspection in production environments
- Limit query depth using graphql-depth-limit
- Limit query complexity based on field costs
- Rate limit by query complexity, not just requests
- Authorize at field level, not just query level
- Limit batching or apply rate limits per operation
Is GraphQL less secure than REST?
Not inherently, but it has different security concerns. REST naturally limits what clients can request, while GraphQL requires explicit limits. Both can be secured properly.
Should I use persisted queries?
Yes, for production. Persisted queries only allow pre-approved queries, preventing arbitrary query attacks. This eliminates most GraphQL-specific vulnerabilities.
Audit Your GraphQL API
Our scanner tests GraphQL endpoints for common vulnerabilities.
Start Free Scan