GraphQL Threat Protection Policy
GraphQL has a relational structure that can be exploited by malicious users to overload servers with deep and cyclic queries, leading to denial-of-service (DoS) attacks. To mitigate this risk, GraphQL threat protection enforces query complexity limits based on Depth, Entries, and Operations. GraphQL API validates these limits in the query, and queries exceeding these limits result in a 400 Bad Request error.
note
GraphQL Threat Protection policy only supports the GET and POST methods.
Timing
| On Request | On Request Content |
|---|---|
| X |
Configuration
| Property | Required | Description | Type | Default |
|---|---|---|---|---|
maxEntries | Yes | The maximum number of fields requested, including nesting in fragments. | Integer (no limit) | -1 |
maxDepth | Yes | The maximum allowed nesting levels of fields, including nesting in fragments. | Integer (no limit) | -1 |
maxQueryorMutationCount | Yes | The maximum number of allowed operations for a request. | Integer (no limit) | -1 |
HTTP Status Code
| Code | Message |
|---|---|
400 | Received in the following cases: Maximum entries exceeded. Maximum depth exceeded. Maximum operation exceeded. |
Example
The following is a sample GraphQL query with 14 entries and 5 depths.
Request:
{
company { -------entry 1, -----depth 1
ceo { -------entry 2, -----depth 2
name -------entry 3
age -------entry 4
department { -------entry 5, -----depth 3
name -------entry 6
employees { -------entry 7, -----depth 4
id -------entry 8
name -------entry 9
position { -------entry 10, ----depth 5
title -------entry 11
salary { -------entry 12
amount -------entry 13
currency -------entry 14
}
}
}
}
}
}
}
