Apollo-server: Limit query cost
In #40 Jonas wrote:
We're thinking about building some DOS protection into Apollo Server, like rate-limiting, query whitelisting and timeouts. We might also write a validation rule that lets you limit the query cost (determined using schema directives), but limiting the text length of the query is probably not something we'll make a standard option.
Query whitelisting is now ~a thing with persistgraphql, but that's not 100% ideal for all use cases since it requires third-party developers using your API to register queries鈥攚hich means you have to provide infrastructure to let people register queries.
It'd be amazing if one could easily limit the cost of a query via either a timeout or via some query cost calculation. :pray: Any plans to make that happen?
mxstbr
All 2 comments
A depth limit may also be useful, see https://github.com/stems/graphql-depth-limit/issues/3
yvele
on 7 Jun 2018
I ended up digging deeply into this and wrote an article about my findings on the Apollo GraphQL blog: https://dev-blog.apollodata.com/securing-your-graphql-api-from-malicious-queries-16130a324a6b
TL;DR: Always use depth limiting and amount limiting, and if you have a perf sensitive public API cost analysis is also very nice. All of that can be done with apollo server and pre-existing packages.
mxstbr
on 8 Jun 2018
Related issues
attdona
路
3Comments
espoal
路
3Comments
jminz
路
3Comments
stevezau
路
3Comments
disyam
路
3Comments
Most helpful comment
I ended up digging deeply into this and wrote an article about my findings on the Apollo GraphQL blog: https://dev-blog.apollodata.com/securing-your-graphql-api-from-malicious-queries-16130a324a6b
TL;DR: Always use depth limiting and amount limiting, and if you have a perf sensitive public API cost analysis is also very nice. All of that can be done with apollo server and pre-existing packages.