Skip to content

README.md

Latest commit

 

History

History
37 lines (28 loc) · 1.35 KB

README.md

File metadata and controls

37 lines (28 loc) · 1.35 KB

Validation - GraphQL

Check GraphQL-over-HTTP requests, enforcing several limits and restrictions to mitigate the attack surface of GraphQL APIs.

Running the Example

  1. Navigate to the examples/graphql/graphql-validation directory in a terminal.
  2. Start the API Gateway by executing membrane.sh (Linux/Mac) or membrane.cmd (Windows).
  3. Query the protected API by opening the requests.http file in VS Code or IntelliJ IDEA to execute the querries.

How it works

Let's examine the proxies.xml file.

<router>
  <api port="2000">
    <request>
      <graphQLProtection maxRecursion="2" />
    </request>
    <target url="https://www.predic8.de/fruit-shop-graphql" />
  </api>
</router>

We define an <api> component with the graphQLProtection plugin inside, running on port 2000 and routing to Fruit Shop GraphQL.
We validate requests only; using the default configuration of the plugin (except for recursion):

  • Don't allow GraphQL extensions.
  • Only allow queries over HTTP methods GET and POST.
  • Max recursion depth of 2 (so it catches before nesting depth in this example).
  • Max nesting depth of 7.
  • Maximum number of mutations in a query of 5.

See: