As GraphQL is a query language, it allows users to use a wider panel of inputs than traditional REST APIs.
Consequently, GraphQL APIs are inherently prone to various security risks, but they can be reduced by taking appropriate precautions. Neglecting them can expose the API to vulnerabilities like credential leakage or denial of service attacks.
In addition to built-in security precautions mentioned in the official Strapi GraphQL plugin documentation, you can use GraphQL Armor and other tools developed by Escape that are described in this guide.
Install and configure GraphQL Armor
GraphQL Armor is a GraphQL middleware that protects your GraphQL API from malicious queries. Installing GraphQL armor prevents the most common attacks.
Install GraphQL Armor
Run npm install @escape.tech/graphql-armor or yarn add @escape.tech/graphql-armor to install GraphQL Armor in your project.
Configure GraphQL Armor
Here is an example config/plugins.js configuration file to protect your GraphQL API :
const armor = require('@escape.tech/graphql-armor');
const ApolloArmor = new armor.ApolloArmor();
module.exports = {
graphql: {
config: {
apolloServer: {
introspection: false, // <-- your custom configuration
...ApolloArmor.protect() // <-- add armor protection
},
},
},
};
If you already have some plugins or validation rules, proceed this way:
const armor = require('@escape.tech/graphql-armor');
const ApolloArmor = new armor.ApolloArmor();
const protection = armor.protect();
module.exports = {
graphql: {
config: {
apolloServer: {
introspection: false, // <-- your custom configuration
...protection, // <-- add armor protection
plugins: [...protection.plugins, myPlugin1, myPlugin2 ] // <-- add your plugins
validationRules: [ ...protection.validationRules, myRule ] // <-- add your validation rules
},
},
},
};
Read more about GraphQL Armor in the official product’s developer documentation.
Continuous security testing
One of the best ways to stop wondering about security for your API is to be able to scan it each time you deploy it into staging or production environments. As you run your unit tests in your CI/CD pipeline, you can bullet-proof your GraphQL application before it even reaches a production environment.
graphql.security
graphql.security is a free, quick graphql security testing tool, allowing you to quickly assess the most common vulnerabilities in your application.
Escape
Escape is a GraphQL security SaaS platform running an automated pentest tool that can be incorporated into your CI/CD pipeline, such as Github Actions or Gitlab CIs.
The security notifications will be automatically communicated to your CI/CD platform, enabling you to attend to them promptly.