Dead-simple, yet highly customizable security middleware for Apollo GraphQL servers
GraphQL Armor ?️
This project is young so there might be bugs but we are very reactive so feel free to open issues.
GraphQL Armor is a Dead-simple, yet highly customizable security middleware for Apollo GraphQL servers.
Supported remediations
Installation
# npm
npm install @escape.tech/graphql-armor
# yarn
yarn add @escape.tech/graphql-armor
Getting Started
import { ApolloArmor } from '@escape.tech/graphql-armor';
const armor = new ApolloArmor({
// Config opts
});
const server = new ApolloServer({
typeDefs,
resolvers,
// This will add a `validationRules` and a `plugins` property to the configuration object
...armor.protect()
});
// If you want to enhance an already existing plugins or validation rules list
const enhancements = armor.protect()
const server = new ApolloServer({
typeDefs,
resolvers,
plugins: [...myPlugins, ...enhancements.plugins]
validationRules: [...myValidationRules, ...enhancements.validationRules]
});
Getting Started with Configuration
GraphQL-Armor is fully configurable, scoped per plugin.
View the Per plugin remediation section for more information.
Refer to the Examples directory for specific implementation.
import { ApolloArmor } from '@escape.tech/graphql-armor';
const armor = new ApolloArmor({
costAnalysis: {
enabled: true,
options: {
maxCost: 1000,
},
}
});
Per plugin remediation
This section describes how to configure each plugin individually.
Stacktraces
Stacktraces are managed by the configuration parameter debug defaulting to true in Apollo. GraphQLArmor changes this default value to false.
For rolling back to Apollo’s default parameter, you can use the following code:
import { ApolloArmor } from '@escape.tech/graphql-armor';
const armor = new ApolloArmor();
const server = new ApolloServer({
typeDefs,
resolvers,
...armor.protect(),
debug: true // Ignore Armor's recommandations
});
Batched queries
Stacktraces are managed by the configuration parameter debug defaulting to true in Apollo. GraphQLArmor changes this default value to false.
For rolling back to Apollo’s default parameter, you can use the following code:
import { ApolloArmor } from '@escape.tech/graphql-armor';
const armor = new ApolloArmor();
const server = new ApolloServer({
typeDefs,
resolvers,
...armor.protect(),
allowBatchedHttpRequests: true // Ignore Armor's recommandations
});
Character Limit
The Character Limit plugin will enforce a character limit on your GraphQL queries.
(Note: The limit is not applied to the whole HTTP body -, multipart form data/file upload will still works)
import { ApolloArmor } from '@escape.tech/graphql-armor';
const armor = new ApolloArmor({
characterLimit: {
enabled: true,
options: {
maxLength: 15000, // Default: 15000
},
}
});
Cost Analysis
The Cost Analysis plugin analyzes incoming GraphQL queries and apply cost analysis algorithm to prevent resource overload.
import { ApolloArmor } from '@escape.tech/graphql-armor';
const armor = new ApolloArmor({
costAnalysis: {
enabled: true,
options: {
maxCost: 5000, // Default: 5000
defaultComplexity: 1, // Default: 1 | Complexity of GQL token
maxDepth: 6, // Default: 6
maxAlias: 15, // Default: 15
maxDirectives: 50, // Default: 50
},
}
});
Field Suggestion
The Field Suggestion plugin will prevent suggesting fields of unprecise GraphQL queries.
import { ApolloArmor } from '@escape.tech/graphql-armor';
const armor = new ApolloArmor({
blockFieldSuggestion: {
enabled: true,
}
});
Contributing
Ensure you have read the Contributing Guide before contributing.
To setup your project, make sure you run the install-dev.sh script.
git clone git@github.com:Escape-Technologies/graphql-armor.git
cd graphql-armor
chmod +x ./install-dev.sh
./install-dev.sh
We are using yarn as our package manager. We do use the workspaces monorepo setup. Please read the associated documentation and feel free to open issues if you encounter problems when developing on our project!