Apollo-server: Avoiding PII upload to the Cloud
Apollo Engine Proxy has a noTraceVariables option that allows all request variables to be stripped, yet Apollo Server doesn't seem to have the same option. Given that Engine Proxy is now deprecated, is there another way to reliably prevent PII upload to the cloud nowadays?
If not, and if this has to be added anew, then in this comment @pcarrier offered up a particularly neat suggestion of blocking variables by type, which for PII prevention would be as simple as blocking the String type -- or a PIIString scalar for those wanting finer grained control.
Thanks for your consideration!
dchambers
All 3 comments
Apollo Server has long had the privateVariables option which has allowed skipping transmission of particular, enumerated variables which are intended to be private. That wasn't quite as flexible as it could have been, but as of Apollo Server 2.7.0 (currently in alpha and tracked on #2937 鈥斅燺please_ try it out!), this story has substantially improved thanks to @helenwh's https://github.com/apollographql/apollo-server/pull/2931, which supports a sendVariableValues option.
I suspect this will offering resolve your concern. Please try the new alpha, explore this option, and if you're still struggling to find a solution after that, please feel free to open a thread in the Apollo Server channel of Apollo's Spectrum.chat.
abernix
on 5 Jul 2019
Oh, it's worth noting that the _default_ behavior has been changed to avoid shipping personally identifiable information (PII) which might be stored in variables, rather than block-listing those when desired, as was previously necessary.
abernix
on 5 Jul 2019
Wow, thanks @abernix, that response really was an unexpected surprise!
dchambers
on 5 Jul 2019
Related issues
Magneticmagnum
路
3Comments
bryanerayner
路
3Comments
jpcbarros
路
3Comments
nevyn-lookback
路
3Comments
dupski
路
3Comments
Most helpful comment
Wow, thanks @abernix, that response really was an unexpected surprise!