graphql-protect

module

v0.18.3 Latest Latest Go to latest Published: Jan 30, 2025 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

README ¶

GraphQL Protect 🛡️

GraphQL Protect is dead-simple yet highly customizable security proxy compatible with any HTTP GraphQL Server or Gateway.

GitHub Release

This repository is inspired by the great work of the Javascript GraphQL Armor middleware.

Features

Trusted Documents (Persisted Operations)
Block Field Suggestions
Obfuscate upstream errors
Max Aliases
Max Tokens
Max (Field & List) Depth
Max Batch
Enforce POST
Access Logging
Max Directives (coming soon)
Cost Limit (coming soon)

Curious why you need these features? Check out this Excellent talk on GraphQL security on YouTube.

Known limitations

Graphql Spec Support

GraphQL Protect makes use of gqlparser to parse and validate GraphQL schemas & GraphQL requests. Gqlparser's spec support is October 2021 and select portions of the Draft. gqlparser uses graphql-js as a reference implementation, resulting a similar level of graphql spec support.

If experience any issues related to spec support, or you want to verify the (draft spec) feature you want to use is supported, it's best to inspect the gqlparser library directly for your use case.

Response encoding

Currently, handling response encoding from the upstream is not supported, we're open for contributions : )

Installation

As Container

docker pull ghcr.io/ldebruijn/graphql-protect:latest
docker run -p 8080:8080 -v $(pwd)/protect.yml:/app/protect.yml -v $(pwd)/schema.graphql:/app/schema.graphql ghcr.io/ldebruijn/graphql-protect:latest

Make sure to portforward the right ports for your supplied configuration

Check out our run documentation for more concrete examples.

Source code

git clone git@github.com:ldebruijn/graphql-protect.git

Build & Test

    make build
    make test

Run Container

    make run_container

Documentation

Check out our extensive documentation, including configuration examples, detailed descriptions of each protection feature as well as deployment configuration examples.

Documentation

Configuration

We recommend configuring the binary using a yaml file, place a file called protect.yml in the same directory as you're running the binary.

For all the configuration options check out the Configuration Documentation

Alternatively graphql-protect can be configured using environment variables or command line arguments.

Contributing

Ensure you have read the Contributing Guide before contributing.

To set up your project, make sure you run the make dev.setup script.

git clone git@github.com:ldebruijn/graphql-protect.git
cd graphql-protect
make dev.setup

Directories ¶

Path	Synopsis
cmd
internal
app/config
app/http
app/log
app/metrics
app/otel
business/gql
business/protect
business/rules/accesslogging
business/rules/aliases
business/rules/batch
business/rules/block_field_suggestions
business/rules/enforce_post
business/rules/max_depth
business/rules/obfuscate_upstream_errors
business/rules/tokens
business/schema
business/trusteddocuments
business/validation
http/debug
http/middleware
http/proxy
http/readiness

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL