GraphQL API Security: 5-things developers should know

This is a guest post for the Computer Weekly Developer Network written in full by Sandeep Devarkonda in his role as VP of customer success at Hasura. 

Hasura is known for its technology designed to enable software application developers to use it (locally, or in the cloud) and connect to new or existing databases to instantly get a production-grade GraphQL API without the need to GraphQL expert upfront – it saves time associated with building, shipping and maintaining APIs.

GraphQL is a query language for APIs and a runtime for fulfilling queries with existing data – it provides a complete (and understandable) description of the data in an API, makes it easier to evolve APIs over time and enables developer tools.

Devarkonda writes as follows…

As many developers understand and as Salt Security somewhat alarmingly pointed out in December 2021, the fact that a single GraphQL API call can include multiple queries to many layers of a data graph potentially exposes end users to private information that is well beyond their needs. 

GraphQL’s ‘introspection queries’, if left unaccompanied by role-based access controls (RBAC), rate limiting, ‘allow lists’ and depth limiting (which determine how many levels of nesting a user is allowed to gather data from) can expose data and potentially lead to harm. 

Security barometer

A lack of security safeguards applied and the data exposed as a result has led to the widespread belief that GraphQL APIs, which provide a single endpoint for multiple data sources are inherently less secure than basic REST APIs, with their straightforward and purpose-based approach to fetching specific data. 

In fact, nothing could be further from the truth. 

GraphQL’s capabilities, including the ability to see many layers into a data graph, need not be left unchecked and recent innovations are making it easier than ever for developers and their users to reap all of the benefits of GraphQL without any of the rumoured risks. 

Devarkonda: Let’s separate truth from fiction.

Developers are leveraging GraphQL to move their software to production faster and more securely than ever before. But, it’s important to separate truth from fiction when it comes to GraphQL security.

Here are five things you may not, but should, know and do, to ensure GraphQL security: 

Use authentication & authorisation

Authentication and authorisation strategies are essential for keeping your data secure. With authentication, you can ensure only the right people have access to your data. Authorisation strategies allow you to define who can access what data and when they can access it. Both authentication and authorisation should be implemented in order to ensure maximum security of your data. 

Monitor requests closely

It’s important to monitor incoming requests closely in order to detect any potential malicious behaviour or malicious actors trying to gain access to your system or data. Monitoring requests also allows developers to identify areas of improvement in terms of performance as well as identify any vulnerabilities that may exist in your system which could be exploited by an attacker. 

Utilise validation mechanisms

Validation mechanisms are essential for ensuring only valid requests are able to make changes or retrieve information from your system. These validation options give you the best of both worlds – the flexibility of GraphQL during development and the option to lock down your production API to only pre-authorised operations. 

Implement API DoS protection 

This action is required to build strategies to maintain API quality of service – and this helps prevent attackers from launching brute-force or denial-of-service (DoS) attacks on your system. It can be done by limiting the number of requests they can make within a given period of time or limiting individual requests to operate with a bounded set of resources, including CPU, memory resources, execution time, etc., in the API layer or in the underlying data stores.  

Utilise Secure Protocols

It’s important to use secure protocols such as HTTPS/TLS whenever possible for communication between client and server applications. This helps protect sensitive information being sent over the network from being intercepted by attackers. Additionally, using secure protocols also helps protect against man-in-the-middle (MITM) attacks, which could allow an attacker to gain access to confidential information being sent over the network. 

Keeping your GraphQL API secure is essential if you want it to be reliable and safe from malicious attacks. By following the best practices outlined here, you can be confident that your GraphQL API is well-protected against potential threats.