Security considerations with GraphQL
In this lesson, you learn about some of GraphQL's pitfalls and how to avoid them. We cover rate-limiting, abusive queries, authentication, and more.
We'll cover the following...
GraphQL security
Introduction
When people first hear about GraphQL, it is often from an enthusiastic front-end developer who is talking about getting all the data you need in a single query.
This is convenient, but for a lot of people, they start to wonder if that is such a good idea. What if somebody asked for sensitive data? You can just get whatever you want from the server, right?
As you have seen in previous lessons, that is not the case. Just as with a REST API, you only expose data intentionally. So, you may have a supersecretdata type, but it is up to you whether you allow that to be publicly accessible or not.
With that said, there are things you should be aware of with GraphQL, and we will do a quick tour of them here.
Rate limiting
In a typical REST scenario, you might want to restrict the number of times that a user can ‘hit’ or access your resources before you exponentially reduce the number of times you respond to that request. This is ...