[{"data":1,"prerenderedAt":192},["ShallowReactive",2],{"blog-vulnerabilities/graphql-vulnerabilities":3},{"id":4,"title":5,"body":6,"category":172,"date":173,"dateModified":173,"description":174,"draft":175,"extension":176,"faq":177,"featured":175,"headerVariant":178,"image":177,"keywords":177,"meta":179,"navigation":180,"ogDescription":181,"ogTitle":177,"path":182,"readTime":183,"schemaOrg":184,"schemaType":185,"seo":186,"sitemap":187,"stem":188,"tags":189,"twitterCard":190,"__hash__":191},"blog/blog/vulnerabilities/graphql-vulnerabilities.md","GraphQL Vulnerabilities Explained",{"type":7,"value":8,"toc":161},"minimark",[9,16,21,26,29,44,48,57,61,70,74,114,130,149],[10,11,12],"tldr",{},[13,14,15],"p",{},"GraphQL has unique security concerns. Disable introspection in production, limit query depth and complexity, implement proper field-level authorization, and be careful with batching. Unlike REST, GraphQL exposes your entire schema by default and allows clients to request exactly what they want, which creates new attack surfaces.",[17,18,20],"h2",{"id":19},"common-graphql-security-issues","Common GraphQL Security Issues",[22,23,25],"h3",{"id":24},"_1-introspection-enabled-in-production","1. Introspection Enabled in Production",[13,27,28],{},"Introspection lets anyone query your entire schema, revealing all types, fields, and relationships.",[30,31,33],"code-block",{"label":32},"Disable introspection",[34,35,40],"pre",{"className":36,"code":38,"language":39},[37],"language-text","// Apollo Server\nconst server = new ApolloServer({\n  typeDefs,\n  resolvers,\n  introspection: process.env.NODE_ENV !== 'production'\n});\n","text",[41,42,38],"code",{"__ignoreMap":43},"",[22,45,47],{"id":46},"_2-deepnested-queries-dos","2. Deep/Nested Queries (DoS)",[30,49,51],{"label":50},"Malicious nested query",[34,52,55],{"className":53,"code":54,"language":39},[37],"# Attacker creates deeply nested query\nquery {\n  user(id: 1) {\n    friends {\n      friends {\n        friends {\n          friends {\n            friends { # ... continues 100 levels deep\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",[41,56,54],{"__ignoreMap":43},[22,58,60],{"id":59},"_3-batching-attacks","3. Batching Attacks",[30,62,64],{"label":63},"Batched brute force",[34,65,68],{"className":66,"code":67,"language":39},[37],"# Send 1000 login attempts in one request\nquery {\n  a: login(email: \"user@x.com\", pass: \"pass1\") { token }\n  b: login(email: \"user@x.com\", pass: \"pass2\") { token }\n  c: login(email: \"user@x.com\", pass: \"pass3\") { token }\n  # ... 997 more attempts\n}\n",[41,69,67],{"__ignoreMap":43},[17,71,73],{"id":72},"how-to-secure-graphql","How to Secure GraphQL",[75,76,77,84,90,96,102,108],"ul",{},[78,79,80,83],"li",{},[81,82,32],"strong",{}," in production environments",[78,85,86,89],{},[81,87,88],{},"Limit query depth"," using graphql-depth-limit",[78,91,92,95],{},[81,93,94],{},"Limit query complexity"," based on field costs",[78,97,98,101],{},[81,99,100],{},"Rate limit"," by query complexity, not just requests",[78,103,104,107],{},[81,105,106],{},"Authorize at field level",", not just query level",[78,109,110,113],{},[81,111,112],{},"Limit batching"," or apply rate limits per operation",[115,116,117,124],"faq-section",{},[118,119,121],"faq-item",{"question":120},"Is GraphQL less secure than REST?",[13,122,123],{},"Not inherently, but it has different security concerns. REST naturally limits what clients can request, while GraphQL requires explicit limits. Both can be secured properly.",[118,125,127],{"question":126},"Should I use persisted queries?",[13,128,129],{},"Yes, for production. Persisted queries only allow pre-approved queries, preventing arbitrary query attacks. This eliminates most GraphQL-specific vulnerabilities.",[131,132,133,139,144],"related-articles",{},[134,135],"related-card",{"description":136,"href":137,"title":138},"Authorization issues","/blog/vulnerabilities/idor","IDOR",[134,140],{"description":141,"href":142,"title":143},"Prevent batching abuse","/blog/vulnerabilities/missing-rate-limiting","Rate Limiting",[134,145],{"description":146,"href":147,"title":148},"Schema information leaks","/blog/vulnerabilities/sensitive-data-exposure","Data Exposure",[150,151,154,158],"cta-box",{"href":152,"label":153},"/","Start Free Scan",[17,155,157],{"id":156},"audit-your-graphql-api","Audit Your GraphQL API",[13,159,160],{},"Our scanner tests GraphQL endpoints for common vulnerabilities.",{"title":43,"searchDepth":162,"depth":162,"links":163},2,[164,170,171],{"id":19,"depth":162,"text":20,"children":165},[166,168,169],{"id":24,"depth":167,"text":25},3,{"id":46,"depth":167,"text":47},{"id":59,"depth":167,"text":60},{"id":72,"depth":162,"text":73},{"id":156,"depth":162,"text":157},"vulnerabilities","2026-01-16","GraphQL APIs have unique security challenges including introspection leaks, deep queries, and batching attacks. Learn how to secure your GraphQL endpoint.",false,"md",null,"red",{"noindex":180},true,"Learn about GraphQL security issues and how to prevent them.","/blog/vulnerabilities/graphql-vulnerabilities","7 min read","[object Object]","TechArticle",{"title":5,"description":174},{"loc":182},"blog/vulnerabilities/graphql-vulnerabilities",[],"summary_large_image","4HwE8QJGh8HazOGh9ep0DwHTgoblMKLZQV2ECT4gHa8",1775843926637]